s�d1d ago

Anyone on #GrapheneOS who could tell me if they see a revoked TLS certificate on this page in either Vanadium or Firefox?

On desktop it shows revoked, other Android user confirmed it shows revoked as well but on my GrapheneOS device the link is just working in both browsers, with and without private/incognito mode.

Update: Two people confirmed no error, one on lobste.rs https://lobste.rs/s/k11wgv/difficulty_making_sure_your_website_is#c_ijjecc gets an error on different Android OS.

https://revoked.yr.test-certs.letsencrypt.org/

The difficulty of making sure your website is broken

3 comments

Lobsters
Show threadMark Isherwood1d ago
@pl I just tried on both Fennec and Vanadium with GrapheneOS and no cert errors for me.
Show threads�d

@markisherwood Thank you, appears to be just not supported then. Kinda good to know that there is a difference between Desktop and Android (or GrapheneOS).

I've first mentioned this on lobste.rs and and another person commented they see an error on Android/Firefox.

https://lobste.rs/s/k11wgv/difficulty_making_sure_your_website_is#c_ijjecc

The difficulty of making sure your website is broken

3 comments

Lobsters
Apr 12 at 12:30amWeb
Show threadGus1d ago

@pl @markisherwood Huh, so this is Firefox for Android freshly installed from Play Store. Basically the same behaviour as Focus...

This is Firefox 149.0.2 with Play Services 26.09.31 and GrapheneOS build 2026040801 on a Pixel 6a.

Happy to test anything else which might be helpful to look at, as this seems odd if others don't see it!

Edit: Sorry, I've replied to the wrong part of the thread here - meant to reply to my reply about Focus showing the error.

Show threadMark Isherwood1d ago
@projectgus @pl just tried Play Store Firefox on my GrapheneOS (no Play Sevices) and I do get the cert error too. Wonder if Fennec doesn't include the cert revocation list downloads.
Show threadGus1d ago

@markisherwood @pl Yeah, interesting. Something like that makes sense to me, or possibly they're doing a deeper "de-Mozilla-ing" pass and falling back entirely to Android's system-level cert verification.

(Total speculation on my part, have not let myself get interested enough to go dig around in source code!)

Show threadMark Isherwood1d ago
@projectgus @pl I did find the following in Vanadiums feature list. So not sure why it shows it as valid.
"Nearly all remote services disabled by default or removed. Only connects to GrapheneOS servers by default. There are only 2 default services: component updates such as certificate authority and certificate revocation updates and DNS-over-HTTPS connectivity checks when enabled"
Show threadGus1d ago

@markisherwood @pl Hmm, yeah. Vanadium does fine when the cert is revoked via OCSP i.e. https://revoked.grc.com/

And Lets Encrypt doesn't support OCSP at all since last year, meaning CRL revocations only.

There are a lot of old posts claiming that Chromium & WebView for Android don't support CRL revocation at all. I can't find any recent confirmation of whether that's still the case. But that would be a simple explanation.

A more nuanced possibility is that the cert's CRL URL is HTTP (true in this case and most cases) and is therefore being blocked by a no-cleartext policy at some layer. There's a description of that pattern in this (otherwise unrelated) comment https://github.com/rustls/rustls-platform-verifier/pull/179#issuecomment-2971944947

I'm now 100% procrastinating on going outside, so I'm going to go outside instead of either installing Chrome or reading Chromium source code. 😆

GRC's | Security Certificate Revocation Awareness Test  

Security Certificate Revocation Awareness Test