Firefox has deployed CRLite, a revolutionary certificate revocation checking system that provides comprehensive coverage of all revoked certificates while maintaining user privacy. Unlike traditional OCSP methods that leak browsing activity, CRLite downloads compact encodings of revocation data locally, updating every 12 hours. The system uses advanced Clubcard data structures with Ribbon filters, achieving 1000x better bandwidth efficiency than traditional Certificate Revocation Lists while covering 100% of revocations compared to Chrome's 1% coverage. Firefox will disable OCSP for domain-validated certificates in version 142, eliminating privacy leaks and improving TLS handshake performance by removing 100ms delays.
Table of contents
Better privacy and performanceBandwidth requirements of CRLiteState-of-the-art blocklist technologyFuture improvementsAbout John SchanckSort: