Cryptography & Security Newsletter

Feisty Duck’s Cryptography & Security Newsletter is a periodic dispatch bringing you commentary and news surrounding cryptography, security, privacy, SSL/TLS, and PKI. It's designed to keep you informed about the latest developments in this space. Enjoyed every month by more than 50,000 subscribers. Written by Ivan Ristić.

You may recall from our January 2025 newsletter, which was dedicated to the demise of OCSP revocation checking (The Slow Death of OCSP), that Let’s Encrypt is planning to stop supporting OCSP in early May—only one month from now. Let’s Encrypt is the leading CA in terms of issued certificates, so its withdrawal from OCSP creates a problem for user agents that still rely on this method of revocation checking. This impending deadline may have spurned one such agent—Mozilla—to complete the outstanding work required to replace OCSP with a novel solution called CRLite.

CRLite is a mechanism for retrieving, storing, and distributing certificate revocation checking using Certificate Revocation Lists (CRLs) published by CAs. CRLite was first introduced in a paper from 2017 (explained in a YouTube video), but the idea itself existed before that. In order to work around various problems related to revocation checking, all major browser vendors had to build their proprietary replacements. For example, Adam Langley talks about using bloom filters for this purpose on his blog.

Efficient storage and processing wasn’t the only problem back then. Before the wider deployment of Certificate Transparency in April 2018, it wasn’t even possible to have a complete list of all CRLs for all issued public certificates. More recently, CCADB added CRL tracking as one of the requirements for CAs.

In 2020, Mozilla began implementing CRLite (read the follow-up blog post to learn about the implementation details). That first attempt failed in the end because even the reduced cost of storage and distribution was too large. Then, at the Real World Cryptography conference in 2022, Mike Hamburg extended the idea behind CRLite (slides) to use a more efficient storage mechanism, and that made a difference. Mozilla picked up the effort again and refined it further with the concept of Clubcard membership. The improved implementation has been trialled in Firefox versions 135 and 136, with CRLite making its full-scale debug in Firefox 137 (desktop version only), due on April 1, 2025. John Schanck, one of Mozilla’s CRLite developers, recently spoke about his team’s work on the project at the RWC 2025 conference.

To support its CRLite effort, Mozilla also updated its Root Store Policy in March. This new version makes a stronger push to ensure that CAs are revoking certificates in a timely manner and that they’re able to respond to high-volume situations.

Certificate Transparency

• It took a while, but Mozilla finally deployed Certificate Transparency in Firefox, starting with version 135 and only in the desktop version. Mozilla’s policy follows Google’s.
• Starting with Chrome 134 (released on March 4), Google allows certificates to use the new CT tiled logs for as long as there is at least one SCT from the currently widely deployed RFC6962 logs. This step is intended to test the new tiled logs in production before wider adoption. The tiled logs are designed to make management of CT logs cheaper, easier, and less fragile.
• Android 16 will allow applications to opt into Certificate Transparency.
• Sectigo has deployed a new generation of its CT logs powered by a brand-new Postgres backend designed to improve performance. The company’s existing logs, powered by MySQL, have been struggling under load.

Post-Quantum Cryptography

• Britain’s NCSC released its timelines for post-quantum migration. The proposal is to split the migration into three phases: first, carry out a full discovery by 2028; then, migrate the high-priority properties by 2031; and finally, migrate the remaining properties by 2035.
• NIST selected HQC as its fifth post-quantum encryption. A draft standard isn’t expected before 2026, and full standardization not before 2027.
• JDK 24, which became generally available this month, added support for ML-KEM and ML-DSA. It also introduced the Key Derivation Function API in preview.
• OpenSSL 3.5, due for release in April, will be an LTS (long-term support) release with significant improvements—among them, support for post-quantum cryptography and server-side QUIC.
• A blog post from Frank Denis shows how to compile Nginx against OpenSSL 3.5 to add support for post-quantum cryptography and the new AEGIS TLS cipher suites.
• If you’re looking to catch up with developments in this area, Cloudflare released a beginner's guide to lattice cryptography.
• Berger et al. wrote Post Quantum Migration of Tor, which outlines a plan to evaluate the impact of Tor’s post-quantum migration.
• Last month, Jan Schaumann published a blog post covering the state of post-quantum cryptography as of February 2025. There is now a follow-up post that looks at which sites actually support the quantum-resistant TLS handshake.

Other News

• Although the prominent tech vendors all support end-to-end encryption for instant messaging, interoperability is still a big problem. Rich Communication Services (RCS), a standard for instant messaging on mobile devices, just gained support for end-to-end encryption based on Messaging Layer Security. As a result, we may in the future see end-to-end messaging encryption across devices from many vendors.
• The RWC 2025 conference has been held in Sofia, Bulgaria. The media files haven’t been published as of this writing, but the live streams are available.
• Mark Klein, who exposed the existence of the NSA’s mass-surveillance program (Room 641A) back in 2006, passed away.
• Apple’s proposal to reduce certificate lifetimes is still in preballot discussions over at CA/Browser Forum. The third revision was released a couple of days ago. The final push to short lifetimes of only forty-seven days is now planned for 2029.
• Keyfactor has published a trio of interesting short videos covering software bills of materials, the security of software updates, and SLSA for supply chain transparency.
• Curl has added experimental support for the HTTPS Resource Record.