Let’s Encrypt Kills OCSP to Boost Privacy, Citing 340 Billion Monthly Requests

Let’s Encrypt has officially retired its OCSP (Online Certificate Status Protocol) service, replacing it with CRL (Certificate Revocation Lists). As the organization reminded, OCSP URLs have not been included in certificates since April 2025, and all older certificates containing them have now expired.

The primary reason for abandoning OCSP is to better safeguard user privacy. When checking a certificate’s status via OCSP, the browser reveals both the user’s IP address and the website being visited to the Certificate Authority (CA). Even if a CA like Let’s Encrypt does not store this information, it could be inadvertently logged or legally compelled to retain it. CRLs operate differently: they are published as static lists of revoked certificates, eliminating any real-time feedback at the moment of the request.

Infrastructure simplification is another priority for Let’s Encrypt. Maintaining OCSP throughout its history consumed substantial resources, whereas the transition to CRLs reduces operational load and improves service resilience.

At peak this year, Let’s Encrypt’s OCSP services handled up to 340 billion requests per month—around 140,000 per second via CDN and 15,000 per second directly to its servers. This demand was sustained with the help of Akamai, which has provided CDN services free of charge for the past decade.

Let’s Encrypt has reaffirmed its commitment to building an open and secure TLS certificate infrastructure, prioritizing simplicity, reliability, and minimal privacy risk.