Let's Encrypt first announced their Intent to End OCSP Service in July 2024, and just recently, in December 2024, they announced that they will be Ending OCSP Support in 2025...In an ideal world, this would cause absolutely no problems whatsoever, but we don't live in an ideal world. For over a decade now, certificates have somewhat reliably always had an OCSP URL in them for clients to check against, if they wish, and the removal of that may break some expectations.
ArticleIn this article, the author covers the announcement by Let's Encrypt that they are going to stop supporting the OSCP (Online Certificate Status Protocol). The OSCP is a protocol that checks if an SSL certificate has been revoked. This sounds like a no-brainer in theory but in practice, the protocol has a lot of limitations and caveats, the most alarming being that even if the check fails, the client still proceeds with the HTTP request.
What I want to focus on here is not the end of the support (which is a good thing imo) but rather why it was created to begin with. A quick look online will let you know that the OSCP was standardized in June 1999. Back then, the internet was a way smaller place and using something like the OSCP made sense. I can't be sure but from an engineering perspective it feels like one of those solutions that's "better than nothing" and at least stops *some* bad actors in their tracks. The problem is that it wasn't designed for the scale of the current internet.
Some people would say that's a bad thing and they should have thought ahead to which I would respond that absolutely no one back then thought the internet would be what it is today, especially after the Dotcom crash. They did the best they could with the information they had at the time and now that the playing field has changed, a new solution is needed. In the previous article response I talked about Technical Inertia and setting up projects with good defaults but this is a scenario where a good default actually becomes not so good later on. Like they say, "The only thing constant in life is change" and tech isn't any different.
The moral of the story is that even if you start with good defaults, your environment may invalidate them. When this happens, and believe you me if you stick around long enough it will, you don't hold onto those old solutions. They served their purpose but now that they have become insufficient, a new solution must be created and implemented. Again, easier said than done because of good ole technical inertia.
Thanks for reading and as always, all comments, critiques and questions are highly appreciated. Here's a link to the
previous article response.Brought to you by
mulVid.