Not all browsers perform revocation checking
41 comments
·September 15, 2025bawolff
That's because revocation checking (if it ocsp) is something that sounds good at a glance but is actually quite a bad idea. Not doing live revocation checking is definitely the right choice for browsers to make. It doesn't protect against real threats and is terrible for privacy.
8cvor6j844qw_d6
Given the mentions of Chrome, Safari, Firefox, and the usual.
I would say "majority" rather than "not all" browsers perform revocation checking.
Dylan16807
"Not all" is quite an understatement.
suriya-ganesh
So far, I've tried this in, chrome, firefox, safari, arc and comet. loads in all of them
null
oofbey
Sounds like letsencrypt is being quite premature by turning off OCSP. https://letsencrypt.org/2025/08/06/ocsp-service-has-reached-...
Might be EOL in some theoretical sense, but by turning it off they're ignoring reality. I know some organizations think this is the way to push standards forward. But to me it seems pretty irresponsible.
jsiepkes
As far as I know OCSP isn't enabled by default in any browser.
zephyreon
Safari on iOS 26 certainly doesn’t show this page as revoked.
zephyreon
fwiw iOS happily displays the cert as very valid
https://f000.backblazeb2.com/file/0011public/Photo-2025-09-1...
jofla_net
Sometime last summer, I encountered a domain which WAS revoked. I was and am using Firefox, roughly v120, in Ubuntu and it threw up an unskippable error page, similar to those self signed pages in chrome. I did turn it off for hahas, in about:config, i believe it was an OCSP setting, security.OCSP.enabled to let me view the page.
However, this page, shows perfectly, so there must have been some differences between this and the domain I remember. Unfortunately, my domain has long since been reissued and I can't reproduce the block. The block also occurred in the latest Thunderbird for windows 7 interestingly.
synotna
OCSP is deprecated for CRLs
Let's encrypt already EOLd OCSP
Titan2189
I'm on Windows 11 (25H2 / 26220), and with Chrome (140), Edge (141) and Firefox (142) I wasn't able to find a browser that would show this as revoked.
johnecheck
I've always felt that the browser vendor + CA model was bad but this is next level embarrassing. How is the very root of trust in the internet so... untrustworthy?
kingstnap
Revocation seems really nasty to deal with.
The whole chain of trust model is that your browser vouches for an authority that vouches for a website that everything is legit.
You can't just ducktape on an idea like that cert for "www.xyz" is totally legit unless I takesies-backies'd my vouch at some point, so just double-check.
If you want that sort of "continuous" trust scheme, then what makes more sense is something like having short-lived certificates.
userbinator
Don't forget revocation checking = more centralised control, although they seem to have gone with very-short-lived certificates instead.
perching_aix
It's also literally a centralized trust model though. You know how the saying goes: if you're going to be a criminal, you may as well be the best one in town.
Dylan16807
> Don't forget revocation checking = more centralised contro
How so? Doesn't revocation have to be done by the same entity that issued the certificate?
snailmailman
is this specific page supposed to show as revoked? its not showing as revoked for me in firefox, but https://revoked.badssl.com/ does so i know my browser is doing revocation checking. I'm curious whats happening here.
lucumo
Interestingly Chrome 140.0.7339.51 on Android 16 blocks it with a net::ERR_CERT_REVOKED error.
I always thought Chrome didn't block them and that revocation was pretty much dead.
lucumo
To clarify, https://revoked.badssl.com/ is the one being blocked. https://revoked-isrgrootx1.letsencrypt.org/ shows just fine.
tsimionescu
revoked.badssl.com is showing up for me in Firefox on mobile just fine, so perhaps there is some nondeterminism here in some way? To be fair, this would be even more bizarre...
null
zephyreon
Seems rather problematic that a cert that appears to have been revoked 5 days ago isn’t recognized as revoked by virtually any browser. Is this an OCSP-related issue or do browsers actually do a bad job at checking for revocation?
redleader55
Checking for revocation doesn't scale and has serious privacy implications. There are two ways to do revocation: CRL and OCSP. CRL is a list that becomes huge over time - hosting it would require massive amounts of bandwidth and clients would need to download a lot of extra data. OSCP is more like a query API - did this cert expire? The problem is you need to make that query for each visit and you leak your IP address when you do that query. The hoster would need to provide capacity to run those queries and serve the result. For each visit you'd need to pay a few round-trips worth of delay before showing the content, sometimes while part of the content is downloaded: you download example.com, which has some CSS which is hosted at static.example.com, and the website redirects you to m.example.com which is the mobile version after running some JavaScript which detects the browser capabilities.
sugarpimpdorsey
> CRL is a list that becomes huge over time - hosting it would require massive amounts of bandwidth and clients would need to download a lot of extra data.
Compared to what? 12MB JavaScript bundles and autoplay videos? Do CDNs still exist?
There's a finite number of CAs and browsers can be expected to perform caching. Delta CRLs also exist and the CAs can decline to include expired leaf certs.
This sounds like a made up problem that was solved 25 years ago.
redleader55
If you cache the revocation list, you lose all the benefits of instant revocation making the whole process pointless.
zephyreon
So the answer then is just much shorter-lived certs? I could definitely still see the need for an immediate revocation to be recognized near-instantaneously. Or in practice is that ultimately not necessary?
xyzzy_plugh
Yes, I think short-lived certs are ultimately where we're headed.
We're starting to see adoption for O(days) now but I imagine that the lifetime will continue to decrease to some minimum O(hours) in the years to come.
Dylan16807
If you don't do a job at all, have you done a bad job?
Details: https://www.ssllabs.com/ssltest/analyze.html?d=revoked-isrgr...
Edit: Their details are not correct: They claim the browsers would not trust it, but in practice they do.