For the people wondering why this does not show up as revoked in their browser:
I believe the way the current revocation systems work is that browsers compile centralized lists of revoked certificates, but they do not contain all revoked certs, but only ones that indicate some form of security issue.
Certificates can be revoked with various revocation reasons, however, it looks this one has no specific revocation reason listed in the CRL. For a certificate that was revoked with a reason of "Key Compromise", things would be different, and most browsers would probably reject it.
Several years ago, I saw some documentation about specifying the locations of CRLs in some proxy software. My first thought was "surely I have some of those on the system for web PKI". I was wrong. That sent me down a deep dark rabbit hole of how revocations are normally handled, at the bottom of which was the conclusion that most software does nothing, because it is just too hard.
Firefox has a project (crlite) that uses bloom filters to make crls more practical, but it is still experimental. I think we are a long ways out from the technology being widely used across the industry.
It turns out it is easier to significantly reduce the validity time of webpki certs than solve the problem of distributing distrbuting a list of revoked certificates. Although the former actually helps a lot with the latter, as it reduces the size of said list.
Might be EOL in some theoretical sense, but by turning it off they're ignoring reality. I know some organizations think this is the way to push standards forward. But to me it seems pretty irresponsible.
Seems rather problematic that a cert that appears to have been revoked 5 days ago isn’t recognized as revoked by virtually any browser. Is this an OCSP-related issue or do browsers actually do a bad job at checking for revocation?
Checking for revocation doesn't scale and has serious privacy implications. There are two ways to do revocation: CRL and OCSP. CRL is a list that becomes huge over time - hosting it would require massive amounts of bandwidth and clients would need to download a lot of extra data. OSCP is more like a query API - did this cert expire? The problem is you need to make that query for each visit and you leak your IP address when you do that query. The hoster would need to provide capacity to run those queries and serve the result. For each visit you'd need to pay a few round-trips worth of delay before showing the content, sometimes while part of the content is downloaded: you download example.com, which has some CSS which is hosted at static.example.com, and the website redirects you to m.example.com which is the mobile version after running some JavaScript which detects the browser capabilities.
So the answer then is just much shorter-lived certs? I could definitely still see the need for an immediate revocation to be recognized near-instantaneously. Or in practice is that ultimately not necessary?
Yes, I think short-lived certs are ultimately where we're headed.
We're starting to see adoption for O(days) now but I imagine that the lifetime will continue to decrease to some minimum O(hours) in the years to come.
I dread supporting O(hours). Clients often have wrong clocks. I've seen some client systems that enforced 'Not Before' and interpreted the datetime as local time and there were many users of that platform in the Americas; and my CA at the time insisted that Not Before was the time of issuance... lots of fun deciding how long to keep using a revoked certificate to balance the users with working revocation vs the users with broken Not Before checking. The client system I'm aware of is very dead, but maybe other systems managed similar.
Ironically this ends up putting a ton more load on the issuers, which some others have pointed out is why revocation doesn’t scale well (other than privacy concerns, which are valid).
> CRL is a list that becomes huge over time - hosting it would require massive amounts of bandwidth and clients would need to download a lot of extra data.
Compared to what? 12MB JavaScript bundles and autoplay videos? Do CDNs still exist?
There's a finite number of CAs and browsers can be expected to perform caching. Delta CRLs also exist and the CAs can decline to include expired leaf certs.
This sounds like a made up problem that was solved 25 years ago.
Again, if you need to revoke a certificate, it means something terrible happened - someone compromised your server and your website has a good chance to be impersonated by 3rd parties. In all the other cases, you just let the old cert expire. You likely don't want people finding out about the revocation 12-24 hours later.
Let's see. I can cache the information that example.com is valid up to May 31 2026, but then how do I know that it gets revoked on any day before that date?
And if I cache the information that it is revoked, how do I know that it's allowed again?
I could check, let's say one time per day even if I don't access that site.
In any case I'm still leaking which domains I browse and I keep trusting cached certificates until the next check.
On the other side, with short lived certificates I would be trusting a certificate for a longer time, until it expires.
Downloading a list of all certificates and their status from every CAs is probably unfeasible.
It seems that we can't escape a tradeoff between privacy and security.
I was a big fan of OCSP-stapling and must-staple. Both of which are slowly being discouraged; LetsEncrypt refuses to issue must-staple certificates since a few months ago, and I think they are shutting down OCSP servers, if not shut down already.
The idea with OCSP-stapling is that the webserver fetches the OCSP data, caches it for TTL ~24 hours, and staples it to the HTTPS handshake. That way, the browser does not need to query the issuer's OCSP servers, avoiding both performance and privacy concerns. Revoked certificates will continue to work for up to 24 hours, but that, IMO, is within an accepted range compared to CRL that can take a lot longer.
The downside is that the HTTPS handshakes now contain a bit more data, and we want to keep this as minimal as possible.
The problem with OCSP stapling is that it either the client has to fall back to doing OCSP checking itself if the server doesn't staple the signature, which has its own problems[1], or enough servers need to support ocsp stapling that the client can just reject connections that don't include it. And unfortunately, there was never a significant uptake for servers, partly because there wasn't really any incentive to implement OCSP stapling. Maybe if there was a TLS 2.0 (or some other standard) that required OCSP stapling and had other benefits as well, it could work.
[1]: the biggest problem with non-stapled OCSP is what to do if you don't get a response for the ocsp request. If you fail open, an attacker can intercept the request to prevent you from knowing the cert is revoked, but if you fail closed, then any issue with the connection to the ocsp server results in loss of service. And then there are also issues with additional latency to wait for the ocsp response, privacy leaks from the ocsp requests, etc.
If the certificate was issued with must-staple flag, then the server can refuse to connect if the handshake did not include an OCSP response.
web servers can refresh OCSP responses in the background and cache valid responses to add some tolerance against temporarily downtimes in the OCSP server.
Right, but the vast majoriry of servers don't use must-staple certs. So browsers would need to do something (even if that something is not checking revocations) for all the other connections anyway.
It's really a chicken and egg problem. Browsers don't want to support must-staple because not enough servers use it. And servers don't use it, because browsers don't require it (or even implement it). And now CAs don't support it, because hardly anyone was using it.
Now if CAs started requiring must-staple, that might push it into widespread use. But that would cause a lot of disruption.
That's because revocation checking (if it ocsp) is something that sounds good at a glance but is actually quite a bad idea. Not doing live revocation checking is definitely the right choice for browsers to make. It doesn't protect against real threats and is terrible for privacy.
It's also literally a centralized trust model though. You know how the saying goes: if you're going to be a criminal, you may as well be the best one in town.
Sometime last summer, I encountered a domain which WAS revoked.
I was and am using Firefox, roughly v120, in Ubuntu and it threw up an unskippable error page, similar to those self signed pages in chrome.
I did turn it off for hahas, in about:config, i believe it was an OCSP setting,
security.OCSP.enabled to let me view the page.
However, this page, shows perfectly, so there must have been some differences between this and the domain I remember. Unfortunately, my domain has long since been reissued and I can't reproduce the block.
The block also occurred in the latest Thunderbird for windows 7 interestingly.
I've always felt that the browser vendor + CA model was bad but this is next level embarrassing. How is the very root of trust in the internet so... untrustworthy?
The whole chain of trust model is that your browser vouches for an authority that vouches for a website that everything is legit.
You can't just ducktape on an idea like that cert for "www.xyz" is totally legit unless I takesies-backies'd my vouch at some point, so just double-check.
If you want that sort of "continuous" trust scheme, then what makes more sense is something like having short-lived certificates.
is this specific page supposed to show as revoked? its not showing as revoked for me in firefox, but https://revoked.badssl.com/does so i know my browser is doing revocation checking. I'm curious whats happening here.
revoked.badssl.com is showing up for me in Firefox on mobile just fine, so perhaps there is some nondeterminism here in some way? To be fair, this would be even more bizarre...
Given the mentions of Chrome, Safari, Firefox, and the usual.
I would say "majority" rather than "not all" browsers perform revocation checking.
[1]: https://gs.statcounter.com/browser-market-share
For the people wondering why this does not show up as revoked in their browser: I believe the way the current revocation systems work is that browsers compile centralized lists of revoked certificates, but they do not contain all revoked certs, but only ones that indicate some form of security issue.
Certificates can be revoked with various revocation reasons, however, it looks this one has no specific revocation reason listed in the CRL. For a certificate that was revoked with a reason of "Key Compromise", things would be different, and most browsers would probably reject it.
[citation needed]
Several years ago, I saw some documentation about specifying the locations of CRLs in some proxy software. My first thought was "surely I have some of those on the system for web PKI". I was wrong. That sent me down a deep dark rabbit hole of how revocations are normally handled, at the bottom of which was the conclusion that most software does nothing, because it is just too hard.
Firefox has a project (crlite) that uses bloom filters to make crls more practical, but it is still experimental. I think we are a long ways out from the technology being widely used across the industry.
It turns out it is easier to significantly reduce the validity time of webpki certs than solve the problem of distributing distrbuting a list of revoked certificates. Although the former actually helps a lot with the latter, as it reduces the size of said list.
So far, I've tried this in, chrome, firefox, safari, arc and comet. loads in all of them
Sounds like letsencrypt is being quite premature by turning off OCSP. https://letsencrypt.org/2025/08/06/ocsp-service-has-reached-...
Might be EOL in some theoretical sense, but by turning it off they're ignoring reality. I know some organizations think this is the way to push standards forward. But to me it seems pretty irresponsible.
Do all other major CAs offer OCSP? Are all major browsers performing the check? I vaguely remember Firefox doesn't. Not at my desk now to check it...
Edit: I believe OCSP is tried, but silently ignored if there is no reponse quickly enough.
Firefox has a a toggle `Query OCSP responder servers to confirm the current validity of certificates`, which is turned off by default.
[dead]
As far as I know OCSP isn't enabled by default in any browser.
Not the first time
https://letsencrypt.org/2025/08/14/rfc-6962-logs-eol
https://www.merklemap.com/documentation/static-ct
Seems rather problematic that a cert that appears to have been revoked 5 days ago isn’t recognized as revoked by virtually any browser. Is this an OCSP-related issue or do browsers actually do a bad job at checking for revocation?
Checking for revocation doesn't scale and has serious privacy implications. There are two ways to do revocation: CRL and OCSP. CRL is a list that becomes huge over time - hosting it would require massive amounts of bandwidth and clients would need to download a lot of extra data. OSCP is more like a query API - did this cert expire? The problem is you need to make that query for each visit and you leak your IP address when you do that query. The hoster would need to provide capacity to run those queries and serve the result. For each visit you'd need to pay a few round-trips worth of delay before showing the content, sometimes while part of the content is downloaded: you download example.com, which has some CSS which is hosted at static.example.com, and the website redirects you to m.example.com which is the mobile version after running some JavaScript which detects the browser capabilities.
So the answer then is just much shorter-lived certs? I could definitely still see the need for an immediate revocation to be recognized near-instantaneously. Or in practice is that ultimately not necessary?
Yes, I think short-lived certs are ultimately where we're headed.
We're starting to see adoption for O(days) now but I imagine that the lifetime will continue to decrease to some minimum O(hours) in the years to come.
I dread supporting O(hours). Clients often have wrong clocks. I've seen some client systems that enforced 'Not Before' and interpreted the datetime as local time and there were many users of that platform in the Americas; and my CA at the time insisted that Not Before was the time of issuance... lots of fun deciding how long to keep using a revoked certificate to balance the users with working revocation vs the users with broken Not Before checking. The client system I'm aware of is very dead, but maybe other systems managed similar.
Ironically this ends up putting a ton more load on the issuers, which some others have pointed out is why revocation doesn’t scale well (other than privacy concerns, which are valid).
> CRL is a list that becomes huge over time - hosting it would require massive amounts of bandwidth and clients would need to download a lot of extra data.
Compared to what? 12MB JavaScript bundles and autoplay videos? Do CDNs still exist?
There's a finite number of CAs and browsers can be expected to perform caching. Delta CRLs also exist and the CAs can decline to include expired leaf certs.
This sounds like a made up problem that was solved 25 years ago.
If you cache the revocation list, you lose all the benefits of instant revocation making the whole process pointless.
OCSP is dead. We don't have that luxury anymore. By caching I meant for 12-24 hrs.
Again, if you need to revoke a certificate, it means something terrible happened - someone compromised your server and your website has a good chance to be impersonated by 3rd parties. In all the other cases, you just let the old cert expire. You likely don't want people finding out about the revocation 12-24 hours later.
You could of course cache the list, only download whatever was new from a specific date. Short-lived certs would vastly reduce the list as well.
Not really sure how big of a problem a list could be?
Let's see. I can cache the information that example.com is valid up to May 31 2026, but then how do I know that it gets revoked on any day before that date?
And if I cache the information that it is revoked, how do I know that it's allowed again?
I could check, let's say one time per day even if I don't access that site.
In any case I'm still leaking which domains I browse and I keep trusting cached certificates until the next check.
On the other side, with short lived certificates I would be trusting a certificate for a longer time, until it expires.
Downloading a list of all certificates and their status from every CAs is probably unfeasible.
It seems that we can't escape a tradeoff between privacy and security.
I was a big fan of OCSP-stapling and must-staple. Both of which are slowly being discouraged; LetsEncrypt refuses to issue must-staple certificates since a few months ago, and I think they are shutting down OCSP servers, if not shut down already.
The idea with OCSP-stapling is that the webserver fetches the OCSP data, caches it for TTL ~24 hours, and staples it to the HTTPS handshake. That way, the browser does not need to query the issuer's OCSP servers, avoiding both performance and privacy concerns. Revoked certificates will continue to work for up to 24 hours, but that, IMO, is within an accepted range compared to CRL that can take a lot longer.
The downside is that the HTTPS handshakes now contain a bit more data, and we want to keep this as minimal as possible.
I don't think any browsers still support OCSP.
The problem with OCSP stapling is that it either the client has to fall back to doing OCSP checking itself if the server doesn't staple the signature, which has its own problems[1], or enough servers need to support ocsp stapling that the client can just reject connections that don't include it. And unfortunately, there was never a significant uptake for servers, partly because there wasn't really any incentive to implement OCSP stapling. Maybe if there was a TLS 2.0 (or some other standard) that required OCSP stapling and had other benefits as well, it could work.
[1]: the biggest problem with non-stapled OCSP is what to do if you don't get a response for the ocsp request. If you fail open, an attacker can intercept the request to prevent you from knowing the cert is revoked, but if you fail closed, then any issue with the connection to the ocsp server results in loss of service. And then there are also issues with additional latency to wait for the ocsp response, privacy leaks from the ocsp requests, etc.
If the certificate was issued with must-staple flag, then the server can refuse to connect if the handshake did not include an OCSP response.
web servers can refresh OCSP responses in the background and cache valid responses to add some tolerance against temporarily downtimes in the OCSP server.
Right, but the vast majoriry of servers don't use must-staple certs. So browsers would need to do something (even if that something is not checking revocations) for all the other connections anyway.
It's really a chicken and egg problem. Browsers don't want to support must-staple because not enough servers use it. And servers don't use it, because browsers don't require it (or even implement it). And now CAs don't support it, because hardly anyone was using it.
Now if CAs started requiring must-staple, that might push it into widespread use. But that would cause a lot of disruption.
I wonder if any free certificate issuers still support Must-Staple?
I don't think so.
- Let's Encrypt: doesn't support it since May 7 this year
- Buy Pass: No longer offers free certificates, probably didn't have must-staple either
- Zero SSL, I didn't find any public links to check if they sign CSRs with it.
- Google Trust Services: Same as above
- Amazon Trust: Same as above, but it probably does.
If you don't do a job at all, have you done a bad job?
"Not all" is quite an understatement.
That's because revocation checking (if it ocsp) is something that sounds good at a glance but is actually quite a bad idea. Not doing live revocation checking is definitely the right choice for browsers to make. It doesn't protect against real threats and is terrible for privacy.
Don't forget revocation checking = more centralised control, although they seem to have gone with very-short-lived certificates instead.
It's also literally a centralized trust model though. You know how the saying goes: if you're going to be a criminal, you may as well be the best one in town.
> Don't forget revocation checking = more centralised contro
How so? Doesn't revocation have to be done by the same entity that issued the certificate?
Safari on iOS 26 certainly doesn’t show this page as revoked.
fwiw iOS happily displays the cert as very valid
https://f000.backblazeb2.com/file/0011public/Photo-2025-09-1...
I'm on Windows 11 (25H2 / 26220), and with Chrome (140), Edge (141) and Firefox (142) I wasn't able to find a browser that would show this as revoked.
Sometime last summer, I encountered a domain which WAS revoked. I was and am using Firefox, roughly v120, in Ubuntu and it threw up an unskippable error page, similar to those self signed pages in chrome. I did turn it off for hahas, in about:config, i believe it was an OCSP setting, security.OCSP.enabled to let me view the page.
However, this page, shows perfectly, so there must have been some differences between this and the domain I remember. Unfortunately, my domain has long since been reissued and I can't reproduce the block. The block also occurred in the latest Thunderbird for windows 7 interestingly.
OCSP is deprecated for CRLs
Let's encrypt already EOLd OCSP
Details: https://www.ssllabs.com/ssltest/analyze.html?d=revoked-isrgr...
Edit: Their details are not correct: They claim the browsers would not trust it, but in practice they do.
> Their details are not correct: They claim the browsers would not trust it
But their details ARE correct. It says the certificate is revoked, which it is. It's up to the individual browser to act upon that (which most don't).
As part of their details they mention browser behavior. And that part is incorrect.
I've always felt that the browser vendor + CA model was bad but this is next level embarrassing. How is the very root of trust in the internet so... untrustworthy?
Revocation seems really nasty to deal with.
The whole chain of trust model is that your browser vouches for an authority that vouches for a website that everything is legit.
You can't just ducktape on an idea like that cert for "www.xyz" is totally legit unless I takesies-backies'd my vouch at some point, so just double-check.
If you want that sort of "continuous" trust scheme, then what makes more sense is something like having short-lived certificates.
is this specific page supposed to show as revoked? its not showing as revoked for me in firefox, but https://revoked.badssl.com/ does so i know my browser is doing revocation checking. I'm curious whats happening here.
revoked.badssl.com is showing up for me in Firefox on mobile just fine, so perhaps there is some nondeterminism here in some way? To be fair, this would be even more bizarre...
Interestingly Chrome 140.0.7339.51 on Android 16 blocks it with a net::ERR_CERT_REVOKED error.
I always thought Chrome didn't block them and that revocation was pretty much dead.
To clarify, https://revoked.badssl.com/ is the one being blocked. https://revoked-isrgrootx1.letsencrypt.org/ shows just fine.
The certificate expiry is Dec 2025 so it's valid.
> https://revoked.badssl.com
This loads fine in Safari on iOS 26 lol.
Also in Fennec 129...
How do you even _get_ it to show as revoked? I tried FF, Chrome, Safari, curl, wget.
Is this related to https://letsencrypt.org/2025/08/06/ocsp-service-has-reached-... ?
It’s a negative on Firefox 142, Chrome 140 and iOS Safari.
https://crt.sh/?id=20924740030
Has anyone gotten it to show as revoked?