undefined | Better HN

0 pointsjsiepkes9mo ago0 comments

As far as I know OCSP isn't enabled by default in any browser.

0 comments

3 comments · 1 top-level

chrismorgan9mo ago· 2 in thread

It’s enabled in Firefox (pref security.OCSP.enabled defaults to 1¹), but not forced (pref security.OCSP.require defaults to false²). I believe Safari behaves the same way.

—though I’m not sure how this fits in with https://hacks.mozilla.org/2025/08/crlite-fast-private-and-co... which said “we will be disabling OCSP for domain validated certificates in Firefox 142”. This is a stunningly fuzzy area where the true and accurate information is difficult to come by.

—⁂—

¹ https://searchfox.org/firefox-main/source/modules/libpref/in.... Actually, on Android it defaults to 2, which skips OCSP on DV certificates, which is almost all these days.

² https://searchfox.org/firefox-main/source/modules/libpref/in...

jsiepkesOP9mo ago

> “we will be disabling OCSP for domain validated certificates in Firefox 142”. This is a stunningly fuzzy area where the true and accurate information is difficult to come by.

Doesn't seem all that fuzzy to me? Domain validated certificates are certificates where only domain name ownership is verified (like ACME does for Let's Encrypt). So it seems starting with Firefox 142 OCSP would be disabled by default for Let's Encrypt certificates.

chrismorgan9mo ago

The pref defaults don’t match that narrative. The blog post could be wrong, the prefs could have been repurposed without being renamed, something else… and the whole thing is very difficult to inspect.

j / k navigate · click thread line to collapse