Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,177
- Points
- 113
The non-profit organization Let's Encrypt announced its intention to discontinue support for the Online Certificate Status Protocol (OCSP) in favor of Certificate Revocation List (CRL) technology.
OCSP and CRL are two mechanisms that certification Authorities (CA) can use to transmit information about revocation of certificates. Let's Encrypt has been providing OCSP since its launch almost a decade ago, and introduced CRL support in 2022.
Let's Encrypt itself is a non-profit organization that provides free SSL/TLS certificates that provide a secure connection between websites and their users. The main goal of Let's Encrypt is to make the Internet more secure and accessible by simplifying the process of obtaining and installing certificates for site owners.
According to representatives of the organization, the rejection of OCSP will not affect the sites and their visitors, but some programs other than browsers may encounter certain problems.
The main reason for opting out of OCSP is that the protocol poses a significant risk to online privacy. So, when someone visits a site using a browser or other software that checks the certificate status via OCSP, the certificate authority receives information about the site being visited and the user's IP address.
The problem is that even if Let's Encrypt does not store this information, other certification authorities may be forced to do so by law. At the same time, in the case of CRL, such a problem simply does not arise. In addition, maintaining the OCSP infrastructure requires significant resources that could be devoted to other important tasks. After the introduction of CRL support, the OCSP service simply became redundant.
In August 2023, the CA/Browser Forum consortium of certificate authorities decided to make OCSP provision optional for publicly trusted certificate authorities, such as Let's Encrypt. With the exception of Microsoft, root programs no longer require OCSP. Microsoft is also expected to make OCSP optional in the next six to twelve months. As soon as this happens, Let's Encrypt will announce a specific and fast schedule for disabling its OCSP services.
Let's Encrypt recommends that users who depend on OCSP begin the process of opting out of this protocol as soon as possible. Those who use Let's Encrypt certificates for security purposes, such as on a VPN, need to make sure that their software works correctly without using OCSP. In general, most OCSP implementations are designed so that failure to get a response from OCSP will not cause the system to crash.
Let's Encrypt is part of the Internet Security Research Group (ISRG), an organization dedicated to improving Internet security. ISRG was founded to support projects aimed at improving the privacy and protection of user data. In addition to Let's Encrypt, the organization is also engaged in other initiatives, such as Prossimo and Divvi Up, aimed at improving the security and sustainability of the Internet infrastructure.
OCSP and CRL are two mechanisms that certification Authorities (CA) can use to transmit information about revocation of certificates. Let's Encrypt has been providing OCSP since its launch almost a decade ago, and introduced CRL support in 2022.
Let's Encrypt itself is a non-profit organization that provides free SSL/TLS certificates that provide a secure connection between websites and their users. The main goal of Let's Encrypt is to make the Internet more secure and accessible by simplifying the process of obtaining and installing certificates for site owners.
According to representatives of the organization, the rejection of OCSP will not affect the sites and their visitors, but some programs other than browsers may encounter certain problems.
The main reason for opting out of OCSP is that the protocol poses a significant risk to online privacy. So, when someone visits a site using a browser or other software that checks the certificate status via OCSP, the certificate authority receives information about the site being visited and the user's IP address.
The problem is that even if Let's Encrypt does not store this information, other certification authorities may be forced to do so by law. At the same time, in the case of CRL, such a problem simply does not arise. In addition, maintaining the OCSP infrastructure requires significant resources that could be devoted to other important tasks. After the introduction of CRL support, the OCSP service simply became redundant.
In August 2023, the CA/Browser Forum consortium of certificate authorities decided to make OCSP provision optional for publicly trusted certificate authorities, such as Let's Encrypt. With the exception of Microsoft, root programs no longer require OCSP. Microsoft is also expected to make OCSP optional in the next six to twelve months. As soon as this happens, Let's Encrypt will announce a specific and fast schedule for disabling its OCSP services.
Let's Encrypt recommends that users who depend on OCSP begin the process of opting out of this protocol as soon as possible. Those who use Let's Encrypt certificates for security purposes, such as on a VPN, need to make sure that their software works correctly without using OCSP. In general, most OCSP implementations are designed so that failure to get a response from OCSP will not cause the system to crash.
Let's Encrypt is part of the Internet Security Research Group (ISRG), an organization dedicated to improving Internet security. ISRG was founded to support projects aimed at improving the privacy and protection of user data. In addition to Let's Encrypt, the organization is also engaged in other initiatives, such as Prossimo and Divvi Up, aimed at improving the security and sustainability of the Internet infrastructure.
