'Boiling the Frog' or How Online Certificate Status Protocol (OCSP) is Being Abandoned at Short Notice by Let's Encrypt
Remember what corporations control the 'Linux' Foundation and how they make money (at your expense).
Months ago:
Years ago: (killing many old devices, perhaps billions of them and thus constituting a crime against the planet, all in the name of fake "security")
This week:
-
Let's Encrypt ☛ Intent to End OCSP Service - Let's Encrypt
Today we are announcing our intent to end Online Certificate Status Protocol (OCSP) support in favor of Certificate Revocation Lists (CRLs) as soon as possible. OCSP and CRLs are both mechanisms by which CAs can communicate certificate revocation information, but CRLs have significant advantages over OCSP. Let’s Encrypt has been providing an OCSP responder since our launch nearly ten years ago. We added support for CRLs in 2022.
Websites and people who visit them will not be affected by this change, but some non-browser software might be.
-
University of Toronto ☛ The Online Certificate Status Protocol (OCSP) is basically dead now
The (web) TLS news of the time interval is that Let's Encrypt intends to stop doing OCSP more or less as soon as Microsoft will let them. Microsoft matters because they are apparently the last remaining major group that requires Certificate Authorities to support OCSP in order for the CA's TLS root certificates to be supported. This is functionally the death declaration for OCSP, including OCSP stapling.
-
Let's Encrypt plans to drop support for OCSP
Let's Encrypt has announced that it intends to end support "
as soon as possible
" for the Online Certificate Status Protocol (OCSP) over privacy concerns. OCSP was developed as a lighter-weight alternative to Certificate Revocation Lists (CRLs) that did not involve downloading the entire CRL in order to check whether a certificate was valid. Let's Encrypt will continue supporting OCSP as long as it is a requirement for Microsoft's Trusted Root Program, but hopes to discontinue it soon: We plan to end support for OCSP primarily because it represents a considerable risk to privacy on the Internet. When someone visits a website using a browser or other software that checks for certificate revocation via OCSP, the Certificate Authority (CA) operating the OCSP responder immediately becomes aware of which website is being visited from that visitor's particular IP address. Even when a CA intentionally does not retain this information, as is the case with Let's Encrypt, CAs could be legally compelled to collect it. CRLs do not have this issue. People using Let's Encrypt as their CA should, for the most part, not need to change their setups. All modern browsers support CRLs, so end-users shouldn't notice an impact either.
This isn't a lack of foresight but planned obsolescence. They sell that to us as "safety" and "security" (an old phone refusing to connect to a site can actually be a matter of life and death).