Not all browsers perform revocation checking

https://revoked-isrgrootx1.letsencrypt.org/

49•sugarpimpdorsey•1h ago

Comments

Dylan16807•1h ago

"Not all" is quite an understatement.

Titan2189•1h ago

I'm on Windows 11 (25H2 / 26220), and with Chrome (140), Edge (141) and Firefox (142) I wasn't able to find a browser that would show this as revoked.

zephyreon•1h ago

Safari on iOS 26 certainly doesn’t show this page as revoked.

zephyreon•30m ago

fwiw iOS happily displays the cert as very valid

https://f000.backblazeb2.com/file/0011public/Photo-2025-09-1...

gslin•1h ago

https://crt.sh/?id=20924740030

sam_lowry_•1h ago

cyberax•1h ago

How do you even _get_ it to show as revoked? I tried FF, Chrome, Safari, curl, wget.

suriya-ganesh•59m ago

So far, I've tried this in, chrome, firefox, safari, arc and comet. loads in all of them

oofbey•53m ago

Sounds like letsencrypt is being quite premature by turning off OCSP. https://letsencrypt.org/2025/08/06/ocsp-service-has-reached-...

Might be EOL in some theoretical sense, but by turning it off they're ignoring reality. I know some organizations think this is the way to push standards forward. But to me it seems pretty irresponsible.

wongogue•59m ago

It’s a negative on Firefox 142, Chrome 140 and iOS Safari.

8cvor6j844qw_d6•54m ago

Given the mentions of Chrome, Safari, Firefox, and the usual.

I would say "majority" rather than "not all" browsers perform revocation checking.

[1]: https://gs.statcounter.com/browser-market-share

zephyreon•52m ago

Seems rather problematic that a cert that appears to have been revoked 5 days ago isn’t recognized as revoked by virtually any browser. Is this an OCSP-related issue or do browsers actually do a bad job at checking for revocation?

Dylan16807•43m ago

If you don't do a job at all, have you done a bad job?

redleader55•40m ago

Checking for revocation doesn't scale and has serious privacy implications. There are two ways to do revocation: CRL and OCSP. CRL is a list that becomes huge over time - hosting it would require massive amounts of bandwidth and clients would need to download a lot of extra data. OSCP is more like a query API - did this cert expire? The problem is you need to make that query for each visit and you leak your IP address when you do that query. The hoster would need to provide capacity to run those queries and serve the result. For each visit you'd need to pay a few round-trips worth of delay before showing the content, sometimes while part of the content is downloaded: you download example.com, which has some CSS which is hosted at static.example.com, and the website redirects you to m.example.com which is the mobile version after running some JavaScript which detects the browser capabilities.

zephyreon•36m ago

So the answer then is just much shorter-lived certs? I could definitely still see the need for an immediate revocation to be recognized near-instantaneously. Or in practice is that ultimately not necessary?

xyzzy_plugh•31m ago

Yes, I think short-lived certs are ultimately where we're headed.

We're starting to see adoption for O(days) now but I imagine that the lifetime will continue to decrease to some minimum O(hours) in the years to come.

zephyreon•21m ago

Ironically this ends up putting a ton more load on the issuers, which some others have pointed out is why revocation doesn’t scale well (other than privacy concerns, which are valid).

sugarpimpdorsey•32m ago

> CRL is a list that becomes huge over time - hosting it would require massive amounts of bandwidth and clients would need to download a lot of extra data.

Compared to what? 12MB JavaScript bundles and autoplay videos? Do CDNs still exist?

There's a finite number of CAs and browsers can be expected to perform caching. Delta CRLs also exist and the CAs can decline to include expired leaf certs.

This sounds like a made up problem that was solved 25 years ago.

monkaiju•48m ago

Has anyone gotten it to show as revoked?

userbinator•48m ago

Don't forget revocation checking = more centralised control, although they seem to have gone with very-short-lived certificates instead.

Dylan16807•43m ago

> Don't forget revocation checking = more centralised contro

How so? Doesn't revocation have to be done by the same entity that issued the certificate?

perching_aix•37m ago

It's also literally a centralized trust model though. You know how the saying goes: if you're going to be a criminal, you may as well be the best one in town.

jofla_net•47m ago

Sometime last summer, I encountered a domain which WAS revoked. I was and am using Firefox, roughly v120, in Ubuntu and it threw up an unskippable error page, similar to those self signed pages in chrome. I did turn it off for hahas, in about:config, i believe it was an OCSP setting, security.OCSP.enabled to let me view the page.

However, this page, shows perfectly, so there must have been some differences between this and the domain I remember. Unfortunately, my domain has long since been reissued and I can't reproduce the block. The block also occurred in the latest Thunderbird for windows 7 interestingly.

johnecheck•47m ago

I've always felt that the browser vendor + CA model was bad but this is next level embarrassing. How is the very root of trust in the internet so... untrustworthy?

snailmailman•44m ago

is this specific page supposed to show as revoked? its not showing as revoked for me in firefox, but https://revoked.badssl.com/ does so i know my browser is doing revocation checking. I'm curious whats happening here.

zephyreon•39m ago

> https://revoked.badssl.com

This loads fine in Safari on iOS 26 lol.

monkaiju•38m ago

Also in Fennec 129...

tsimionescu•24m ago

revoked.badssl.com is showing up for me in Firefox on mobile just fine, so perhaps there is some nondeterminism here in some way? To be fair, this would be even more bizarre...

lucumo•19m ago

Interestingly Chrome 140.0.7339.51 on Android 16 blocks it with a net::ERR_CERT_REVOKED error.

I always thought Chrome didn't block them and that revocation was pretty much dead.

lucumo•10m ago

To clarify, https://revoked.badssl.com/ is the one being blocked. https://revoked-isrgrootx1.letsencrypt.org/ shows just fine.

How to Burst the Israeli Bubble

US taxpayers to pay billions in fuel subsidies thanks to Big Beautiful Bill

Cex.C – Comprehensively EXtended C Language

Beyond the Hype: Why Your AI Assistant Might Be Sabotaging Your Architecture

The Expensive, Overwhelming, Engineered Fun of Theme Parks

Americans Crushed by Auto Loans as Defaults and Repossessions Surge

Being too thin can be deadlier than being overweight, Danish study reveals

Starlink is currently experiencing a service outage

OpenClimbing – mapping climbing areas and creating interactive climbing guides

ST-Raptor requires no additional fine-tuning

How Container Filesystem Works: Building a Docker-Like Container from Scratch

Show HN: Spring Boot and OpenAPI Generator – type-safe clients with generics

We've attacked 40+ AI tools, including ChatGPT, Claude and Perplexity

Understanding the Success of the Know-Nothing Party

Moonbit developers are lying to you

When Technical Products Outgrow Non-Technical Leadership

Arturo Programming Language Playground

Whirlpool Tells U.S. Authorities Its Rivals Could Be Evading Tariffs

Wake-Up Call for EV Industry: Compliance Protocol Ignores Peak Magnetic Pulses

Smalltalk and Lambda Calculus

"Hello, Is This Anna?": Unpacking the Lifecycle of Pig-Butchering Scams

Apple breaks records in China with high iPhone 17 preorders

Penske Media Corporation v. Google, LLC (D.D.C.) 1:25-cv-03192 [pdf]

Language Models Pack Billions of Concepts into 12,000 Dimensions

Why Neeto Doesn't Do Traditional Marketing or Use AI to Deflect Tickets

Xrust – XPath, XQuery, and XSLT for Rust

AmneziaWG: Fork of WireGuard-Go eliminating DPI identifiable network signatures

Free software for virtual reality studios

China's economy slowdown deepens in August: retail sales, industrial output miss

Why Is Taiwan the Poorest Among Developed Countries?