Let's Encrypt to end OCSP support in 2025
Let's Encrypt will discontinue OCSP support in 2025 due to privacy and performance issues, transitioning to alternative solutions like CRLite, which may disrupt systems relying on OCSP for certificate validation.
Read original article
Let's Encrypt, the largest Certificate Authority (CA), has announced it will end support for the Online Certificate Status Protocol (OCSP) in 2025. OCSP is used to check if SSL/TLS certificates have been revoked, which is crucial for preventing security breaches. However, Let's Encrypt has identified several issues with OCSP, including privacy concerns, performance delays, and availability problems. When a user visits a website, their browser checks the certificate's status with the CA, potentially leaking browsing activity. Additionally, if the OCSP responder is down, clients may ignore the check, undermining security.
Let's Encrypt's decision follows a history of attempts to improve OCSP, including OCSP Stapling, which mitigates some privacy and performance issues but does not enhance security. The timeline for the transition includes the failure of OCSP Must-Staple requests by January 30, 2025, the removal of OCSP URLs from certificates by May 7, 2025, and the complete shutdown of OCSP responders by August 6, 2025. This change is expected to impact the wider ecosystem, as many systems have relied on OCSP for over a decade. Let's Encrypt aims to redirect resources to more effective solutions for certificate revocation, such as CRLite, which addresses the limitations of current methods.
- Let's Encrypt will end OCSP support in 2025 due to privacy, performance, and availability issues.
- OCSP has been criticized for leaking user browsing data and failing to enhance security.
- The transition will involve specific deadlines for OCSP Must-Staple requests and URL removals.
- Let's Encrypt plans to focus on alternative revocation solutions like CRLite.
- The change may disrupt existing systems that have relied on OCSP for certificate validation.
Related
Intent to End OCSP Service
Let's Encrypt will discontinue OCSP in favor of CRLs to enhance privacy. This change won't affect website visitors but may impact non-browser software. Users relying on OCSP are advised to prepare for the transition.
Apple memory holed its broken promise for an OCSP opt-out
Apple has not fulfilled its promise to provide an opt-out for OCSP checks in macOS, raising privacy concerns. Following macOS 14 Sonoma, it removed related documentation, prompting user skepticism.
Sysadmins rage over Apple's 'nightmarish' SSL/TLS cert lifespan cuts
Apple proposes reducing SSL/TLS certificate lifespans from 398 days to 45 days by 2027, aiming to enhance security, but system administrators are concerned about increased management workload and automation challenges.
Let's not Encrypt
The article critiques Let's Encrypt for creating a false sense of security, highlighting issues with certificate verification, automatic renewals, short validity, and concerns about its funding and long-term viability.
Short-Lived Certificates Coming to Let's Encrypt
Let's Encrypt will introduce six-day short-lived certificates next year to enhance TLS security by reducing key compromise exposure. The transition is expected to be seamless for subscribers due to automation.
7 commentsDon't agree with this statement. It's only adding no security when the CA is down. In case a Cert is revoked and the OCSP is up, it will be blocked.
But I understand their reasons to drop it.
We ended up on the following: Either you accept the fact that once signed, it has a life on its own until it expires, or the issuer becomes the single point of failure.
Another issue we dealt with was validating that the person doing the request with a JWT was the owner of the JWT, and not someone who stole it. A possible fix? Distribute private keys to clients, and have them sign the JWTs on the fly. How do you check for revoked private keys? Catch-22.
Related
Intent to End OCSP Service
Let's Encrypt will discontinue OCSP in favor of CRLs to enhance privacy. This change won't affect website visitors but may impact non-browser software. Users relying on OCSP are advised to prepare for the transition.
Apple memory holed its broken promise for an OCSP opt-out
Apple has not fulfilled its promise to provide an opt-out for OCSP checks in macOS, raising privacy concerns. Following macOS 14 Sonoma, it removed related documentation, prompting user skepticism.
Sysadmins rage over Apple's 'nightmarish' SSL/TLS cert lifespan cuts
Apple proposes reducing SSL/TLS certificate lifespans from 398 days to 45 days by 2027, aiming to enhance security, but system administrators are concerned about increased management workload and automation challenges.
Let's not Encrypt
The article critiques Let's Encrypt for creating a false sense of security, highlighting issues with certificate verification, automatic renewals, short validity, and concerns about its funding and long-term viability.
Short-Lived Certificates Coming to Let's Encrypt
Let's Encrypt will introduce six-day short-lived certificates next year to enhance TLS security by reducing key compromise exposure. The transition is expected to be seamless for subscribers due to automation.