An anonymous reader writes: The next version of Firefox will roll out [https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/] a ‘pushed’ blocklist of revoked intermediate security certificates, in an effort to avoid using 'live' Online Certificate Status Protocol (OCSP) checks. The 'OneCRL' feature is similar to Google Chrome's CRLSet [https://dev.chromium.org/Home/chromium-security/crlsets], but like that older offering, is limited to intermediate certificates, due to size restrictions in the browser. OneCRL will permit non-live verification on EV certificates, trading off currency for speed. Chrome pushes its trawled list of CA revocations every few hours, and Firefox seems set to follow that method and frequency. Both Firefox and Chrome developers admit that OCSP stapling would be the better solution, but it is currently only supported in 9% of TLS certificates.