Ddos 
The Mozilla Foundation recently announced on its official blog the deployment of the CRLite digital certificate revocation checking mechanism in Firefox, which has been fully integrated into Mozilla Firefox v137.0 without any reported issues in usage.
The OCSP (Online Certificate Status Protocol) has traditionally been the method by which Certificate Authorities (CAs) declare the status of a certificate. Each time a browser requests access to a website, it sends a query to the OCSP server to verify whether the certificate has been revoked. If revoked, the browser will return an error message, preventing users from continuing to an insecure site.
The advantage of this system lies in its ability to perform real-time checks, allowing browsers to immediately detect compromised certificates and block unsafe access. For instance, when Google’s digital certificate was once stolen and subsequently revoked at Google’s request, browsers relying on OCSP were able to prevent hijacking attempts by refusing connections to the invalid certificate.
However, OCSP also has its drawbacks. Since every site visit requires an OCSP query, this can expose users’ browsing habits—CAs can infer which websites are being accessed through the incoming requests. Due to such privacy concerns, some authorities (including Let’s Encrypt) have already discussed discontinuing OCSP services.
To mitigate both performance and privacy issues inherent to OCSP, the industry introduced the Certificate Revocation List (CRL) mechanism. Instead of making individual online queries, CRL maintains a cached list of all revoked certificates provided by CAs, allowing browsers to verify certificate status locally.
This approach significantly improves efficiency, as the comparison is carried out offline, reducing latency and avoiding potential data leaks. Users benefit from faster website loading speeds, since no additional OCSP requests are required for each connection.
Mozilla’s CRLite builds upon the CRL system by selectively compiling active revocation lists from all CAs, then distributing compressed updates to Firefox users every 12 hours. This means that when a certificate is revoked, the update will propagate to users within half a day at most.
While the complete dataset of revoked certificates amounts to nearly 300MB, requiring users to download that volume daily would be impractical. Instead, Firefox’s CRLite uses an optimized selection process, shrinking the data footprint to only about 300KB—balancing robust security with minimal impact on network performance.
Following the deployment of CRLite, Mozilla announced that beginning with Firefox v142.0, the browser will disable OCSP checks for domain validation certificates entirely. From that version onward, Firefox will rely exclusively on CRLite for certificate revocation verification, no longer transmitting requests to OCSP servers.
This change is not expected to negatively impact websites, but enterprise IT administrators are advised to install and test Firefox v142.0+ Beta in advance to ensure their digital certificates continue to function seamlessly under the new system.
Related Posts:
- Let’s Encrypt Announces Intent to End OCSP Support: A Move Towards Privacy and Efficiency
- Let’s Encrypt to Deprecate OCSP in Favor of CRLs, Enhancing User Privacy
- DigiCert Revokes Certificates: What You Need to Know
- DigiCert Forced to Revoke Thousands of Certificates Due to Domain Validation Error
- The AI Cold War: Anthropic Revokes OpenAI’s Claude API Access Over Terms of Service Dispute
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
