So, apparently, Let's Encrypt is dropping #OCSP and moving to old-fashioned #CRL as the only way to notify everyone when a certificate is revoked.

https://letsencrypt.org/2024/12/05/ending-ocsp

I'm pleased with this turn of events. CRL is much simpler than OCSP, and also doesn't have OCSP's privacy and reliability issues.

But of course CRL has the same old problem: CRLs are big! Fortunately, modern computers have huge storage, and CRLs can be incrementally updated. https://blog.mozilla.org/security/2020/01/21/crlite-part-3-speeding-up-secure-browsing/

#cybersecurity #infosec

I totally missed the memo that #letsencrypt disabled #OCSP:

https://letsencrypt.org/2024/12/05/ending-ocsp

And I see that there has been a #cabforum ballot making OCSP optional with only one issuer opposing:

https://cabforum.org/2023/07/14/ballot-sc063v4-make-ocsp-optional-require-crls-and-incentivize-automation/

A terrible Idea. And to make it worst, LE is distributing their #CRL over #cloudflare just as they did with their OCSP endpoints.

OCSP Service Has Reached End of Life

https://letsencrypt.org/2025/08/06/ocsp-service-has-reached-end-of-life

#HackerNews #OCSP #End #of #Life #LetsEncrypt #Cybersecurity #Tech #News

Here's today's #TechIsShitDispatch. I missed posting yesterday, but I can assure you that there was shitty tech; I just didn't have time to post about it.
Today's thread features more #Synology bullshit, more #Framework bullshit, some #Hulu bullshit, some #Google bullshit, and some annoying #Thunderbird behavior which I think may be linked to #OCSP certificate validation.
🧵1/18

If someone have warning messages in #Nginx logs about #OCSP url. Here is explanation from #LetsEncrypt

https://letsencrypt.org/2024/12/05/ending-ocsp/

El lado del mal - Nueva Edición del Máster Online en Seguridad Ofensiva del Campus Internacional de Seguridad 2025/2026 https://www.elladodelmal.com/2025/06/master-online-en-seguridad-ofensiva-del.html #master #formación #ciberseguridad #OCSP #OffensiveSecurity #hacking #RedTeam #pentesting #pentest

New Kitten Release 🥳

To OCSP¹ or not to OCSP…

• Turns on OCSP support in the server only if the site’s certificate has the OCSP stapling extension.

This is to support both servers that still have OCSP stapling in their certs as well as new ones that don’t. (Let’s Encrypt sunset OCSP support yesterday and there is a transitionary period where Kitten servers will have both types of certificates. This update is to ensure we support both without issues.)

https://kitten.small-web.org

Also updated, if you’re interested in playing lower in the stack:

• @small-tech/https: https://codeberg.org/small-tech/https
• @small-tech/auto-encrypt: https://codeberg.org/small-tech/auto-encrypt

Enjoy!
:kitten:💕

¹ Online Certificate Status Protocol (https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). Yes, I hate abbreviations too :)

#Kitten #SmallWeb #SmallTech #KittenRelease #TLS #OCSP #OCSPStapling #LetsEncrypt

Ah, well, this’ll do it. Should’ve set myself a reminder:

https://codeberg.org/small-tech/auto-encrypt/src/commit/6991c34f44b8918167188ca6f9ddf1387eea4137/CHANGELOG.md#4-1-3-2025-02-08

On it.

#LetsEncrypt #OCSP #TLS #Kitten #SmallWeb

OpenSSL+curlでの証明書関連トラブルシミュレーション
https://qiita.com/angel_p_57/items/d3104009bc075635e67d?utm_campaign=popular_items&utm_medium=feed&utm_source=popular_items

#qiita #curl #OpenSSL #TLS #RSA #OCSP

Let's Encrypt 把 CRL 位置加到憑證裡面了

在「Adding CRL URLs to certificates」這邊看到的公告，把 CRL 位置加到憑證裡面了： On March 12, 2025, Let’s Encrypt will start including CRL (Certificate Revocation List) URLs in certificates we issue, in addition to the OCSP URLs we already include. This is part of our previously announced changes to deprecate support for OCSP. CRLs and OCSP are two di…

https://blog.gslin.org/archives/2025/03/27/12324/lets-encrypt-%e6%8a%8a-crl-%e4%bd%8d%e7%bd%ae%e5%8a%a0%e5%88%b0%e6%86%91%e8%ad%89%e8%a3%a1%e9%9d%a2%e4%ba%86/

#authority #ca #certificate #crl #letsencrypt #ocsp #revoke #root #security

New releases

• Kitten (rolling release)
• @small-tech/https version 5.3.2
• Auto Encrypt version 4.1.3

OCSP support has been reinstated in the server so existing sites with Let’s Encrypt certificates provisioned prior to the removal of the OCSP stapling requirement will not fail to load in Firefox.

Kitten servers in production will automatically update to this version in a few hours. You can also sign in to the Kitten settings page on your server and do a manual update to update Kitten immediately.

Thanks to @stefan and @s1r83r for bringing this to my attention. (https://mastodon.ar.al/@aral/113969540950647873)

#Kitten #SmallWeb #SmallTech #AutoEncrypt #TLS #SSL #HTTPS #OCSP #LetsEncrypt #web #dev #NodeJS #JavaScript

New Kitten release

• Upgrades to version 5.3.1 of @small-tech/https¹ which has version 4.1.2 of Auto Encrypt² that l removes OCSP stapling (because Let’s Encrypt has removed OCSP support).

Please upgrade your Kitten as soon as possible or any new Kitten servers you try to set up will fail and any certificate renewals for existing servers will start to fail in May.

https://kitten.small-web.org

(To upgrade, run `kitten update`. Your production servers will update automatically.)

Enjoy!

:kitten:💕

¹ https://www.npmjs.com/package/@small-tech/https
² https://www.npmjs.com/package/@small-tech/auto-encrypt

#Kitten #SmallWeb #SmallTech #web #dev #TLS #HTTPS #AutoEncrypt #NodeJS #JavaScript #OCSP #LetsEncrypt

#github scheint gerade bei dem #OCSP Server meines unbekannten Vertrauens (in Librewolf/Firefox eingebacken) in Ungnade gefallen zu sein. Die Webseite von Github wird seit kurzem hier blockiert.

So I guess Let’s Encrypt has decided what I’ll be working on today then…

https://letsencrypt.org/2024/12/05/ending-ocsp/

(They’re ending OCSP stapling support. I’ll be updating Auto Encrypt¹ to remove OCSP support and then update @small-tech/https, which uses it, along with Auto Encrypt Localhost² to provide seamless TLS support regardless of whether you’re working in development or in production, and then update Site.js³ – deprecated but still used to serve some of our own sites at Small Technology Foundation⁴ – and Kitten⁵, with the latest @small-tech/https.)

¹ https://codeberg.org/small-tech/auto-encrypt
² https://codeberg.org/small-tech/auto-encrypt-localhost
³ https://codeberg.org/small-tech/https
⁴ https://small-tech.org
⁵ https://kitten.small-web.org

#SmallWeb #SmallTech #TLS #SSL #HTTPS #LetsEncrypt #OCSP #AutoEncrypt #AutoEncryptLocalhost #SiteJS #Kitten

OCSP 的淡出...

前幾天的「The Slow Death of OCSP」這篇在講 OCSP 不受瀏覽器廠商青睞而逐漸會淡出舞台的事情...

目前各家瀏覽器都朝向自己將 revoke 名單 (通常是透過各家的 CRL) 整合成一份文件後讓瀏覽器下載的方式：

Instead of user agents consuming the CRLs directly, major browser vendors (and, presumably, operating systems) maintain th

https://blog.gslin.org/archives/2025/02/02/12239/ocsp-%e7%9a%84%e6%b7%a1%e5%87%ba/

#Browser #Computer #Murmuring #Network #Privacy #Security #Software #WWW #certificate #ocsp #online #privacy #protocol #security #status

🌘 OCSP 的緩慢消亡
➤ 時間對 OCSP 的影響，未來將如何發展？
✤ https://www.feistyduck.com/newsletter/issue_121_the_slow_death_of_ocsp
近來討論甚多的 OCSP，因為 Let’s Encrypt 宣佈將停止支援線上證書撤銷檢查服務，對於網路安全產生影響。為了提高安全性，建議轉換至僅有效六天的短期證書。OCSP 的使用問題包括效率低落、安全性疑慮等，使其逐漸式微。
+ 有趣的是，技術的演進將如何影響我們的網路安全。
+ 讓我們期待更有效、更安全的證書管理制度的出現。
#網路安全 #加密學 #OCSP

Let's Encrypt und OCSP

Gerade trudelte eine Mail ein:

The certificates for the hostnames below (issued by the Let's Encrypt account associated with this email address) use a feature called "OCSP Must Staple." We are ending our support for that feature
(letsencrypt.org/2024/12/05/end…), along with our support for OCSP in general, and replacing it with Certificate Revocation Lists (letsencrypt.org/2022/09/07/new…).

Und ich habe all die Jahre OCSP Stapling gepredigt und über die firmeninterne CA gespottet, die aus "haben wir schon immer so gemacht"-Gründen CRLs verwendet…

#LetsEncrypt #ocsp

I went to #38c3 and left my laptop unplugged. Its clock stopped and it think it's December 27.

Of course, web site certificates are invalid. But why do I get #OCSP errors in #Firefox when I clearly disabled OCSP querying?

> An error occurred during a connection to search.brave.com. The OCSP response is not yet valid (contains a date in the future).

Is this a data leak about domains I visit? I'd search for info but #Brave doesn't load :P

#privacy #tls #pki #security #web

Je viens d'avoir à faire à une panne cheloue sur #yunohost

#nginx ne se lançait plus parce-qu'il n'arrivait plus à résoudre r11.o.lencr.org et r10.o.lencr.org pour l'#OCSP stapling.

Bref, j'ai rajouté les deux lignes qui vont bien dans /etc/hosts.

C'est quick&dirty, mais pour le moment ça tourne.

PSA: Falls ihr irgendwelche DigiCert OCSP/CRL IP Adressen allowlisted haben solltet: ihr möchtet bis zum 10. Januar eure Allowlist anpassen weil DigiCert Infrastruktur umziehen muss:

https://docs.digicert.com/en/whats-new/change-log/certcentral.html#january-10--2025

https://knowledge.digicert.com/alerts/digicert-certificate-status-ip-address

#DigiCert #Thawte #OCSP #CRL