Mozilla has introduced a new certificate revocation system in Firefox 142 called CRLite. The browser maker said that CRLite makes browsing faster, more private, and more secure. As a bit of background, certificate revocation is useful for informing browsers that a website’s certificate is no longer trustworthy. In the past, communicating revocation information has been difficult and forced trade-offs between privacy, security, and performance.
CRLite operates entirely on-device, which eliminates the need for online checks. This on-device operation also prevents page load slowdowns and the leaking of visited sites to third parties. For those wondering if all this on-device processing leads to any kind of slowdown, the answer is no, it’s efficient enough to store all certificate revocations locally. The only data requirement that the feature has is 300KB per day of continuous updates to stay current - that’s a very small requirement in this day and age.
The development of CRLite is notable because other browsers have deployed similar approaches but could only store a small fraction of the revoked certificates. Clever algorithms and techniques were used to achieve this performance, technical details have been outlined in a Hacks post.
Mozilla says that CRLite “sets a new standard for revocation security” and that it hopes this level of security will be adopted by other browsers and internet clients. The browser maker has designed it in such a way that makes it easy to adopt or adapt for other browser vendors.
If you want to learn more about the technical details of CRLite, you can check out the accompanying Hacks post as well as a 12-page technical paper that goes even more in-depth. The development of CRLite has taken several years and involved individuals residing inside and outside of Mozilla. The first version of Firefox to use CRLite is Firefox 142, which Neowin reported on recently.