This certradar-cli tool currently flags when OSCP Stapling is not enabled, presenting it as an issue that should be resolved.
Let's Encrypt has recently ended support of OCSP stapling (in favour of CRLs) due to privacy issues where the Certificate Authority (CA) operating the OCSP responder immediately becomes aware of which website is being visited from that visitor’s particular IP address. Even when a CA intentionally does not retain this information, as is the case with Let’s Encrypt, CAs could be legally compelled to collect it. CRLs do not have this issue.
https://letsencrypt.org/2024/12/05/ending-ocsp
Given this, it might be prudent to either remove the issue flagged by certradar-cli when OSCP Stapling is not enabled, or downgrade it from an issue to an informative alert.
This certradar-cli tool currently flags when OSCP Stapling is not enabled, presenting it as an issue that should be resolved.
Let's Encrypt has recently ended support of OCSP stapling (in favour of CRLs) due to privacy issues where the Certificate Authority (CA) operating the OCSP responder immediately becomes aware of which website is being visited from that visitor’s particular IP address. Even when a CA intentionally does not retain this information, as is the case with Let’s Encrypt, CAs could be legally compelled to collect it. CRLs do not have this issue.
https://letsencrypt.org/2024/12/05/ending-ocsp
Given this, it might be prudent to either remove the issue flagged by certradar-cli when OSCP Stapling is not enabled, or downgrade it from an issue to an informative alert.