The Online Certificate Status Protocol (OCSP) is basically dead now

July 24, 2024

The (web) TLS news of the time interval is that Let's Encrypt intends to stop doing OCSP more or less as soon as Microsoft will let them. Microsoft matters because they are apparently the last remaining major group that requires Certificate Authorities to support OCSP in order for the CA's TLS root certificates to be supported. This is functionally the death declaration for OCSP, including OCSP stapling.

(The major '(TLS) root programs' are all associated with browsers and major operating systems; Microsoft for Windows and Edge, Apple for macOS, iOS, and Safari, Google for Chrome and Android, and Mozilla for Firefox and basically everyone else.)

Let's Encrypt is only one TLS Certificate Authority so in theory other CAs could keep on providing OCSP. However, LE is the dominant TLS CA, responsible for issuing a very large number of the active TLS certificates, plus CAs don't like doing OCSP anyway because it takes a bunch of resources (since you have to be prepared for a lot of browsers and devices to ask you for the status of things). Also, as a practical matter OCSP has been mostly dead for a long time because Chrome hasn't supported OCSP for years, which means that only a small amount of traffic will be affected by the OCSP status of TLS certificates used for the web (which has periodically led to OCSP breaking and causing problems for people using browsers that do check, like Firefox; I've disabled OCSP in my Firefox profiles for years).

I suspect that Let's Encrypt's timeline of three to six months after Microsoft allows them to stop doing OCSP is better understood as 'one to two Let's Encrypt certificate rollovers', since all of LE's certificates are issued for 90 days. I also suspect that people will have enough problems with web servers (and perhaps client programs) that it will wind up being more toward the six month side.

Personally, I'm glad that OCSP is finally and definitely dying, and not just because I haven't had good experiences with it myself (as a Firefox user; as a website operator we never tried to add OCSP stapling). Regardless of its technical design, OCSP as an idea and a protocol is something that doesn't fit well into the modern Internet and how we understand the political issues involved with Internet-scale things (like how much they cost and who pays for them, what information they leak, what the consequences of an outage are, how much they require changes to slow-moving server software, and so on).

Comments on this page:

By r bridges at 2024-07-25 11:22:24:

It's not surprising that TLS clients won't be making OCSP requests in the future. People thought that was a terrible idea from the beginning, for privacy reasons and non-scalability among other things, and many clients never even implemented it.

It may seem a little strange that stapling, which didn't suffer from those obvious problems, is also going away. The comments on the Hacker News story have some detail from people involved with Let's Encrypt. Basically, with upward of 200 million active certificates, the back-end work to sign that many responses every few days (OCSP response lifetime generally being a week) is more significant than handling the clients, who'd essentially be fetching static data. Although Let's Encrypt already plans to issue less-than-90-day certificates, which seems even more involved than OCSP: every new certificate needs to be added to the issuer's database and the public certificate-transparency logs.

What's really surprising is that certificate revocation lists (CRLs) are slated to be the replacement. Firefox deprecated those a decade ago, and I think most software never implemented them. It'd be annoying to wget a several-kilobyte file and have to wait for megabytes of CRL data first, for example, and we've already seen instances in which certificate authorities decided against revocation because the risk wasn't worth bloating their CRLs. And, yet, CRLs are apparently coming back, with no improvements whatsoever.

I'm kind of baffled by this. Obviously, each program fetching CRLs itself is duplicative and inconvenient. Particularly with programs too sandboxed to store them anywhere, or that run infrequently enough (like my "banking" browser profiles) that they'd always have outdated data. There probably should've been some years of warning that CRLs would return, during which maybe someone could've written a system/network service to fetch the lists and run an OCSP-like service for their TLS clients to check.

By seankhliao at 2024-07-30 17:24:45:

I think the main innovation has been the browser summarized CRLs as CRLite or CRLSets: https://letsencrypt.org/2022/09/07/new-life-for-crls.html#browser-summarized-crls

Presumably other programs would pull the same summarized CRLs, or the OS would share one like it shares the CA trust store.

By r bridges at 2024-07-31 00:18:54:

seankhliao, thanks for the links, but...

Presumably other programs would pull the same summarized CRLs

Reducing the amount of data mitigates one problem, but leaves many others. If nothing else, most programs don't have code to update or use CRLs of any kind, which makes this a rather optimistic presumption.

While a library could theoretically do this "behind the scenes", it's kind of problematic to have libraries unexpectedly spawning threads, making network connections, and updating shared databases; and it runs into similar problems as un-stapled OCSP, like "what if the certificate looks valid but we couldn't fetch the latest CRL?"

The linked page mentions that Firefox might be pushing updates every 6 hours, but doesn't address that last question. What if I turn my computer off on Friday, then come back on Monday and start making HTTPS connections? Should they be blocked till the weekend's CRL updates have come in? Probably everyone would hate that, but it'd be an obvious security hole to not do it. The nice thing about OCSP stapling was that we'd "automatically" get recent lack-of-revocation confirmation, specific to each connection we initiated.

or the OS would share one like it shares the CA trust store.

It'd have to be updated daily to get the same benefit as OCSP. It could be done, but I don't know of any plan to do it, nor any OS package that updates with such frequency.

The shrunken lists seem like more of an idea than a plan, and the wording of "One possible solution that has been making headway recently" is consistent with that.

Written on 24 July 2024.
« Seeing and matching pf rules when using tcpdump on OpenBSD's pflog interface
How I almost set up a recursive syslog server »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, View Normal.
Search:
Login: Password:
Last modified: Wed Jul 24 23:16:16 2024
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.