| ▲ | oofbey 2 days ago |
| Sounds like letsencrypt is being quite premature by turning off OCSP. https://letsencrypt.org/2025/08/06/ocsp-service-has-reached-... Might be EOL in some theoretical sense, but by turning it off they're ignoring reality. I know some organizations think this is the way to push standards forward. But to me it seems pretty irresponsible. |
|
| ▲ | mholt a day ago | parent | next [-] |
| > Sounds like letsencrypt is being quite premature by turning off OCSP. Not really, since they now offer six-day certs, which makes revocation effectively irrelevant: https://letsencrypt.org/docs/profiles/#shortlived |
|
| ▲ | jsiepkes 2 days ago | parent | prev | next [-] |
| As far as I know OCSP isn't enabled by default in any browser. |
| |
| ▲ | chrismorgan 2 days ago | parent [-] | | It’s enabled in Firefox (pref security.OCSP.enabled defaults to 1¹), but not forced (pref security.OCSP.require defaults to false²). I believe Safari behaves the same way. —though I’m not sure how this fits in with https://hacks.mozilla.org/2025/08/crlite-fast-private-and-co... which said “we will be disabling OCSP for domain validated certificates in Firefox 142”. This is a stunningly fuzzy area where the true and accurate information is difficult to come by. —⁂— ¹ https://searchfox.org/firefox-main/source/modules/libpref/in.... Actually, on Android it defaults to 2, which skips OCSP on DV certificates, which is almost all these days. ² https://searchfox.org/firefox-main/source/modules/libpref/in... | | |
| ▲ | jsiepkes a day ago | parent [-] | | > “we will be disabling OCSP for domain validated certificates in Firefox 142”. This is a stunningly fuzzy area where the true and accurate information is difficult to come by. Doesn't seem all that fuzzy to me? Domain validated certificates are certificates where only domain name ownership is verified (like ACME does for Let's Encrypt). So it seems starting with Firefox 142 OCSP would be disabled by default for Let's Encrypt certificates. | | |
| ▲ | chrismorgan a day ago | parent [-] | | The pref defaults don’t match that narrative. The blog post could be wrong, the prefs could have been repurposed without being renamed, something else… and the whole thing is very difficult to inspect. |
|
|
|
|
| ▲ | usr1106 2 days ago | parent | prev | next [-] |
| Do all other major CAs offer OCSP? Are all major browsers performing the check? I vaguely remember Firefox doesn't. Not at my desk now to check it... Edit: I believe OCSP is tried, but silently ignored if there is no reponse quickly enough. |
| |
| ▲ | Ayesh 2 days ago | parent | next [-] | | Firefox has a a toggle `Query OCSP responder servers to confirm the current validity of certificates`, which is turned off by default. Edit: It seems to be enabled by default! I've been using Firefox for as long as I remember, and don't setup Firefox afresh frequently. | | | |
| ▲ | unit149 2 days ago | parent | prev [-] | | [dead] |
|
|
| ▲ | 2 days ago | parent | prev [-] |
| [deleted] |
