Thursday, January 23, 2025
HomeCyber Security NewsLet’s Encrypt to End Support for Online Certificate Status Protocol (OCSP)

Let’s Encrypt to End Support for Online Certificate Status Protocol (OCSP)

Published on

SIEM as a Service

Follow Us on Google News

Let’s Encrypt has officially announced its timeline to phase out support for the Online Certificate Status Protocol (OCSP).

The nonprofit Certificate Authority (CA) plans to fully transition to Certificate Revocation Lists (CRLs) by mid-2025, citing privacy concerns and efficiency gains as primary reasons for the change.

Phased Timeline for Transition

Let’s Encrypt rolled out a detailed schedule to guide its users through this transition:

  • January 30, 2025: OCSP Must-Staple requests will fail unless the account has a prior history of issuing certificates with the extension.
  • May 7, 2025: Certificates will no longer include OCSP URLs, and all requests for the OCSP Must-Staple extension will fail. CRL URLs will be added to certificates before this date.
  • August 6, 2025: Let’s Encrypt will fully deactivate its OCSP responders, marking the end of its OCSP services.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Why Shift to CRLs?

Let’s Encrypt emphasized that CRLs provide significant advantages over OCSP. CRLs enable the distribution of revocation information without linking individual IP addresses to specific website visits, enhancing privacy.

By contrast, OCSP queries can inadvertently expose website visitors’ IP addresses to the CA, a potential privacy risk even if the CA does not retain such data.

Legal obligations could also force CAs to collect user information—and Let’s Encrypt seeks to mitigate this risk with its pivot to CRLs.

The organization also highlighted operational benefits. Running the OCSP infrastructure for nearly a decade has consumed substantial resources.

Simplifying its infrastructure by adopting CRLs will allow Let’s Encrypt to focus on other areas of compliance and reliability.

The move is anticipated to have minimal impact on websites and browsers, as CRLs enjoy widespread support. However, some non-browser software relying on OCSP might require adjustments.

Let’s Encrypt advises developers and administrators using its certificates for services like VPNs to test their systems for compatibility without OCSP URLs.

Alongside its OCSP deprecation, Let’s Encrypt will also retire support for the OCSP Must-Staple extension.

This feature, designed to enhance privacy and security by enforcing OCSP Stapling, never achieved broad support from browsers or web servers.

The organization is urging users of OCSP Must Staple to reconfigure their Automatic Certificate Management Environment (ACME) clients ahead of the May 7, 2025, deadline.

This decision reflects Let’s Encrypt’s commitment to offering secure, privacy-focused, and efficient services. As the internet evolves, its transition away from OCSP aims to set a new standard for certificate management practices.

Investigate Real-World Malicious Links,Malware & Phishing Attacks With ANY.RUN - Try for Free

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

Microsoft Unveils New Identity Secure Score Recommendations in General Availability

Microsoft has announced the general availability of 11 new Identity Secure Score recommendations in...