Editing HTTPS (section)

=====Certificate revocation=====
{{main|Certificate revocation}}
A certificate may be revoked before it expires, for example because the secrecy of the private key has been compromised. Newer versions of popular browsers such as [[Firefox]],<ref>{{cite web |url=https://www.mozilla.org/en-US/privacy/ |title=Mozilla Firefox Privacy Policy |publisher=[[Mozilla Foundation]] |date=27 April 2009 |access-date=20 October 2018 |archive-url=https://web.archive.org/web/20181018063732/https://www.mozilla.org/en-US/privacy/ |archive-date=18 October 2018 |url-status=live }}</ref> [[Opera (web browser)|Opera]],<ref>{{cite news |url=https://news.softpedia.com/news/Opera-8-launched-on-FTP-1330.shtml |title=Opera 8 launched on FTP |publisher=[[Softpedia]] |date=19 April 2005 |access-date=20 October 2018 |archive-url=https://web.archive.org/web/20190209055128/https://news.softpedia.com/news/Opera-8-launched-on-FTP-1330.shtml |archive-date=9 February 2019 |url-status=live }}</ref> and [[Internet Explorer]] on [[Windows Vista]]<ref>{{cite web |last=Lawrence |first=Eric |date=31 January 2006 |url=https://docs.microsoft.com/en-us/previous-versions/aa980989(v=msdn.10) |title=HTTPS Security Improvements in Internet Explorer 7 |website=[[Microsoft Docs]] |access-date=24 October 2021 |archive-date=24 October 2021 |archive-url=https://web.archive.org/web/20211024181937/https://docs.microsoft.com/en-us/previous-versions/aa980989(v=msdn.10) |url-status=live }}</ref> implement the [[Online Certificate Status Protocol]] (OCSP) to verify that this is not the case. The browser sends the certificate's serial number to the certificate authority or its delegate via OCSP (Online Certificate Status Protocol) and the authority responds, telling the browser whether the certificate is still valid or not.<ref>{{cite web |url=https://tools.ietf.org/html/rfc2560 |title=Online Certificate Status Protocol – OCSP |publisher=[[Internet Engineering Task Force]] |date=20 June 1999 |last1=Myers |first1=Michael |last2=Ankney |first2=Rich |last3=Malpani |first3=Ambarish |last4=Galperin |first4=Slava |last5=Adams |first5=Carlisle |doi=10.17487/RFC2560 |access-date=20 October 2018 |archive-url=https://web.archive.org/web/20110825095059/http://tools.ietf.org/html/rfc2560 |archive-date=25 August 2011 |url-status=live }}</ref> The CA may also issue a [[Certificate revocation list|CRL]] to tell people that these certificates are revoked. CRLs are no longer required by the CA/Browser forum,<ref>{{cite web |url=https://cabforum.org/baseline-requirements-documents/ |title=Baseline Requirements |date=4 September 2013 |publisher=CAB Forum |access-date=1 November 2021 |url-status=live |archive-date=20 October 2014 |archive-url=https://web.archive.org/web/20141020234802/https://cabforum.org/baseline-requirements-documents/ }}</ref>{{Update inline|date=April 2025|reason=CRLs are actually required.}} nevertheless, they are still widely used by the CAs. Most revocation statuses on the Internet disappear soon after the expiration of the certificates.<ref name=RS_1>{{cite book| author1=Korzhitskii, N.| author2=Carlsson, N.| title=Passive and Active Measurement| chapter=Revocation Statuses on the Internet| series=Lecture Notes in Computer Science| date=30 March 2021| volume=12671| pages=175–191| doi=10.1007/978-3-030-72582-2_11| arxiv=2102.04288| isbn=978-3-030-72581-5}}</ref>