Internet Explorer normally warns you if the server you visit have any certificate issues.
One thing that IE does not warn you about however is when the CRL is unavailable. Note that this doesn’t mean that that the certificate is revoked, only that you do not know if it is.
This means that someone could trick you into trusting a revoked certificate by preventing your access to the CRL (by tricking the client to look in the wrong place or by some sort of Denial Of Service). Faking the CRL is not feasable, since it is signed with the issuing CAs private key.
This warning actually did exist in earlier versions of Internet Explorer but was removed in version 7. Since the inability to reach the CRL does not necessarily mean that the certificate has been revoked, many users complained that these notifications mostly were “false positives” so it was removed from the UI.
If you want to, you can use the FEATURE_WARN_ON_SEC_CERT_REV_FAILED setting to reenable this warning again in IE 7 and higher.
To enable this feature using the registry, add the name of the Internet Explorer executable file to the following setting (you might also need to create the key named FEATURE_WARN_ON_SEC_CERT_REV_FAILED):
HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)
iexplore.exe = (DWORD) 00000001
The feature is enabled when the value is set to (DWORD) 00000001 and disabled when the value is (DWORD) 00000000. If you run a 64-bit system you need to make the change here: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WARN_ON_SEC_CERT_REV_FAILED
The warning does not show a separate page as the other warnings do, instead the warning is visible in the the URL bar.
To simulate this CRL problems for google.se I added the DNS name of the CRL Distribution Point to the hosts file. I also added the OCSP path in the Authority Information Access:
I found these names here in the google.se certificate:
That’s it, please comment below if you have any questions and/or opinions!