The Slow Death of OCSP

Written by Ivan Ristić at The Slow Death of OCSP | Feisty Duck

Everybody is talking about OCSP now because, just last month, at the end of 2024, Let’s Encrypt announced it was going to stop supporting online certificate revocation checking. Beginning in early May 2025, there will no longer be any OCSP revocation information in Let’s Encrypt’s certificates. Once all its earlier certificates expire, Let’s Encrypt will shut down its OCSP servers.

Let’s Encrypt’s reasoning is sound. As it stands today, OCSP is not making anyone more secure. Browsers are either not checking it or are implementing it in a way that provides no security benefits. As a result, OCSP is just costing Let’s Encrypt good money in personnel and infrastructure costs. How much money? Let’s Encrypt hasn’t disclosed the actual costs, but its executive director did share with Scott Helme that Let’s Encrypt was servicing about twelve billion OCSP requests daily (about 140,000 every second).

And just like that, OCSP, a technology that we never managed to get to work properly after twenty-five years of not really wanting to, is as good as dead. Not all is lost, though. If you want better security, switch to short-lived certificates of only six days (!), which Let’s Encrypt will start to offer later in 2025.

10 Likes