Mozilla has officially introduced CRLite, a new on-device certificate revocation system, in Firefox 142.
Designed to eliminate long-standing tradeoffs between privacy, speed, and security, CRLite aims to solve a core weakness in HTTPS infrastructure, ensuring revoked certificates are identified without exposing users or slowing browsing.
The development of CRLite is the culmination of a multi-year initiative led by Mozilla, with contributions from both internal engineers and external collaborators. The feature is now being used in production as part of Firefox 142, representing a significant leap over earlier revocation mechanisms like OCSP (Online Certificate Status Protocol) and CRLs (Certificate Revocation Lists), both of which have long suffered from inefficiencies and privacy shortcomings.
Moving the process locally
Certificate revocation is critical to HTTPS, the protocol that encrypts most web traffic and ensures users are connected to authentic websites. When a certificate is compromised due to mis-issuance or theft, it must be revoked to prevent malicious use. Traditional revocation methods require browsers to check with third-party servers to determine if a certificate is still valid. These checks introduce performance delays and, more troublingly, leak browsing behavior to external parties.
Firefox's CRLite changes that by storing all certificate revocation data locally on the user's device. The system compresses the entire set of revocations, covering tens of millions of entries, into a space-efficient format, requiring just 300 KB of daily updates to remain current. This enables Firefox to perform revocation checks without any network communication, preserving user privacy and eliminating latency caused by remote lookups.
Mozilla, the non-profit behind Firefox, has long positioned itself as a champion of user-first web technologies, advocating for strong encryption, minimal data exposure, and open standards. With CRLite, Mozilla not only delivers a revocation mechanism that aligns with those values but also outpaces competing browsers, many of which rely on more limited or heuristic-based revocation strategies.
CRLite builds upon several technical innovations, including the use of Bloom filters and other probabilistic data structures to enable fast and compact storage. The lead engineer on the project, John Schanck, has published a detailed technical deep dive, and Mozilla has also released an academic paper outlining the system's architecture and performance metrics.
Despite Firefox being the first browser to deploy CRLite at this scale, Mozilla hopes that its approach will gain broader adoption. The system has been explicitly designed to be adaptable by other browsers and clients, in line with Mozilla's goal of raising the overall baseline of internet security rather than maintaining exclusivity.
Firefox users should ensure they're updated to version 142 to benefit from CRLite. The new service will run silently in the background, requiring no additional configuration to activate.
Leave a Reply