Source URL: https://scotthelme.co.uk/lets-encrypt-to-end-ocsp-support-in-2025/
Source: Hacker News
Title: Let’s Encrypt to end OCSP support in 2025
Feedly Summary: Comments
AI Summary and Description: Yes
Summary: The text discusses the significant decision by Let’s Encrypt, the largest Certificate Authority (CA) globally, to discontinue support for the Online Certificate Status Protocol (OCSP) in 2025. It outlines the implications of this move, including concerns around privacy, performance, and reliability of OCSP, while introducing the CRLite system as a potential alternative for revocation checking. This decision marks a pivotal change in SSL/TLS certificate management that could affect website security practices across the internet.
Detailed Description:
– **Let’s Encrypt Announcement**: In December 2024, Let’s Encrypt declared it would end OCSP service support by 2025, having initially announced this intent in July 2024. This is expected to have far-reaching impacts on the broader ecosystem due to Let’s Encrypt’s significant market presence.
– **What is OCSP?**:
– OCSP is designed to check if SSL/TLS certificates are revoked by allowing clients to query the Certificate Authority (CA).
– Revocation can occur if a private key is compromised, allowing attackers to potentially impersonate legitimate sites.
– **Problems with OCSP**:
– **Privacy Concerns**: Querying the CA can expose users’ browsing activity to the CA, compromising user privacy.
– **Performance Issues**: The OCSP check requires multiple network roundtrips, leading to delays in connection establishment.
– **Reliability Concerns**: If the OCSP Responder is down, clients may simply ignore this check and proceed, reducing the value of OCSP.
– **Historical Context**:
– The text highlights past attempts to improve OCSP, including OCSP Stapling, which mitigates some privacy and performance issues but does not effectively address the fundamental challenges.
– **Future of Revocation Checking**:
– The document mentions the introduction of CRLite, a new mechanism utilizing Bloom Filters to address the drawbacks associated with OCSP:
– Solves size issues of Certificate Revocation Lists (CRLs).
– Tackles privacy problems inherent to OCSP.
– Reduces performance costs associated with online checks.
– Avoids creating a single point of failure.
– Rectifies the ‘soft fail’ approach prevalent in existing systems.
– **Implications of Changes**:
– The discontinuation of OCSP could lead to unexpected side effects given its long-standing role in certificate management.
– The reliance on OCSP has been high, and with its removal, there are potential ramifications for existing practices and expectations within the industry.
– **Financial Context for Certificate Authorities**:
– The article notes the significant volume of OCSP requests processed weekly by Let’s Encrypt, amounting to billions of CDN and origin hits, and highlights the cost concerns for non-profit CAs reliant on sponsorships.
Ultimately, the shift away from OCSP toward a potential framework like CRLite signals a necessary evolution in certificate validation mechanisms, prompting security and compliance professionals to re-evaluate their SSL/TLS practices in light of these changes. It emphasizes a move toward enhanced privacy and performance, aligning with broader trends in the cybersecurity landscape.