Fast, private and secure (pick three): Introducing CRLite in Firefox

by
Bobby Holley
from The Mozilla Blog on (#6ZDS8)

We are pleased to announce that Firefox 142 will begin production usage of our brand new certificate revocation system known as CRLite. CRLite makes your browsing faster, more private, and more secure, and is a significant advancement to the state of the art for encryption on the internet.

Every day, billions of people rely on HTTPS to securely encrypt their communication with websites. This core protocol ensures both that you are communicating with the right website and that other parties can't spy on what you're doing. To make this work, websites obtain certificates from trusted organizations to prove to browsers like Firefox that they are who they say they are. However, mistakes happen: a certificate can be mis-issued to the wrong party, or compromised by a malicious actor. When this happens, the certificate must be revoked so that browsers know it is no longer trustworthy. Communicating this information to browsers is a surprisingly hard problem - all previous methods have had to make tradeoffs between privacy, security, and performance.

Mozilla stands for a web where users shouldn't have to make these tradeoffs - encryption, privacy and performance are cornerstones of our vision for the web, and it's our mission to build technology that gives users all three without compromise.

CRLite represents a multiyear effort to deliver this vision with a comprehensive system that operates entirely on-device. This eliminates the need for online revocation checks, which both slow down page loads and leak the sites you're visiting to third parties on the network. Other browsers have deployed similar approaches, but these systems have only been able to store a small fraction of all revoked certificates, necessitating imperfect guesswork as to which ones are most important. CRLite is efficient enough to store all certificate revocations locally, requiring only 300KB per day of continuous updates to stay current.

CRLite uses a number of clever algorithms and techniques to achieve its performance, and we are grateful to all the individuals inside and outside Mozilla who contributed insight and code to make it all work. You can find more technical details in the accompanying Hacks post by lead engineer John Schanck, as well as in our recently published paper.

CRLite sets a new standard for revocation security that you'll only find in Firefox today. We're proud of that, but we actually hope it doesn't stay that way. Our mission is to make the internet safer for everyone, and that means we want to see this level of security deployed everywhere, not just in Firefox. We've designed CRLite to be easy for other browsers and internet clients to adopt or adapt, and look forward to comprehensive revocation checking becoming the norm everywhere.

fx_website_meta-image_tips-tricks_alt-04-800x800.png Take control of your internet Download Firefox

The post Fast, private and secure (pick three): Introducing CRLite in Firefox appeared first on The Mozilla Blog.

External Content
Source RSS or Atom Feed
Feed Location http://blog.mozilla.com/feed/
Feed Title The Mozilla Blog
Feed Link https://blog.mozilla.org/en/
Reply 0 comments