> Chrome's solution was to call OCSP useless because their less technical users couldn't understand it.
OCSP introduced a non-trivial delay (cited as ~300ms to a second) and there are also privacy concerns with it as well[1]. There's also the fact that it's set to soft-fail when the OCSP servers can't be contacted making it useless in that case[2].
Even if we ignore the above reasons for its exclusion from Chrome they do provide CRLSets which provide similar functionality but are pushed via browser updates (supposedly it's updated daily which makes it faster than OCSP). I'm not sure it's fair to say that they called it "useless because less technical users couldn't understand it". How else can CRLSets be explained then?
> There's also the fact that it's set to soft-fail when the OCSP servers can't be contacted making it useless in that case[2].
Yes, notice that I called for OCSP force/required, not just OCSP soft-fail. I've been running OCSP required for years and never had any noticeable slowdown. Maybe there's one on the first connection of the day to a site or something?
Chrome's CRLSets are extremely limited and cannot begin to capture the full number of domains which have been revoked. They can get the most popular sites and that's about it.
OCSP stapling is the superior solution which will solve this in Chrome and other browsers, but for now OCSP is the only reasonable solution in a world where millions of SSL certificates have leaked and been revoked and you care about your privacy. CloudFlare alone revoked millions of certificates. These have indeed not all made it into the CRLsets.
There is still a non-trivial privacy issue with the OCSP checks although OCSP stapling does address that problem. The Chrome situation does leave something to be desired although I can sort of understand where they were coming from from the aspect of it being confusing. It is worth noting that only the setting on the settings page has been removed. You can still enable OCSP checks and OCSP forcing through the enterprise settings[1][2]. Also worth noting is that I believe they have only disabled OCSP checks, OCSP stapling should still work correctly if the server supports it.
OCSP introduced a non-trivial delay (cited as ~300ms to a second) and there are also privacy concerns with it as well[1]. There's also the fact that it's set to soft-fail when the OCSP servers can't be contacted making it useless in that case[2].
Even if we ignore the above reasons for its exclusion from Chrome they do provide CRLSets which provide similar functionality but are pushed via browser updates (supposedly it's updated daily which makes it faster than OCSP). I'm not sure it's fair to say that they called it "useless because less technical users couldn't understand it". How else can CRLSets be explained then?
[1] https://www.imperialviolet.org/2012/02/05/crlsets.html [2] https://www.imperialviolet.org/2014/04/19/revchecking.html