CRLite ships compressed revocation information for the public Web to Firefox users, four times a day. We have a blogpost series on CRLite at the Security Blog <https://blog.mozilla.org/security/tag/crlite/> (with another post coming later this month), there’s additional information at Github <https://github.com/mozilla/crlite>, and for the Gecko-side, a meta-bug <https://bugzilla.mozilla.org/show_bug.cgi?id=crlite>.
We’ve been collecting telemetry on how much CRLite can speed up first TLS connections <https://blog.mozilla.org/security/2020/01/21/crlite-part-3-speeding-up-secure-browsing/> all year. Since August, we’ve been publishing the datasets consistently four times per day, with “stashes” (delta updates) averaging about 66 kB. ( https://github.com/mozilla/crlite/wiki#how-can-i-access-statistics-about-the-available-filters ) If you’d like to poke around inside the filter data, see https://github.com/mozilla/crlite/wiki#how-can-i-query-my-crlite-filter Nightly is now preferring CRLite <https://github.com/mozilla/crlite> for revocation information, meaning fresh TLS connections will skip OCSP when CRLite can substitute. (e.g., we set security.pki.crlite_mode to 2, “Enforce”). We expect to see improvement in the SSL_TIME_UNTIL_READY telemetry: it’s mostly expected to speed up the outliers in the graph, since revocation checks get cached, and it is likely to have the largest effects for Firefox users with slower network connections. We don’t expect breakage from this change, as we’ve grown fairly confident in the dataset, but this is going to remain in Nightly for now. After this speed-up testing, our likely next step is to add telemetry to compare live OCSP results against CRLite’s results for outlier-accuracy (encountering revocations is rare, so care is needed). We’ll ultimately run both the accuracy and the speedup tests in early Beta as well. We’ll develop Release-path plans based on early Beta testing and telemetry. For more information, come see us in #crlite in Slack or #crlite:mozilla.org on Matrix <https://matrix.to/#/!zSwoVqWeXUHRiaIFvk:mozilla.org?via=mozilla.org&via=matrix.org> . - J.C. on behalf of Mozilla Crypto Engineering _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
