OCSP Stapling

OCSP Stapling

 

What is OCSP Stapling?

 
OCSP stapling is a method of the Online Certificate Status Protocol (OCSP) that removes the need for a browser to check with a third party to determine if a security certificate is valid.

OCSP stapling essentially “staples” the status verification to the responding webserver which you control, rather than relying on a third party server that you do not.

 

What is OCSP ?

 
It is a method used by browsers to make sure a security certificate is valid.

Web browsers check the status of security certificates with third party vendors. If the certificate is valid, the connection to HTTPS will continue. Learn more about OCSP here.
 

Web Browsers are using OCSP now

 
OCSP was used in some form for you to see this page you are reading. OCSP is used now, but whether or not OCSP Stapling is being used depends on how that individual web server is configured.

OCSP: Web browsers have decided to use this for you (you the webmaster have no say in this)
OCSP Stapling: You the webmaster can decide to use (you have control of whether you use this or not)

In a nutshell OCSP is being used now, and OCSP Stapling is an improved method of OCSP that you can decide to use.

 

OCSP (without stapling) Issues

 
OCSP is an effective way to check if key certficates are valid, but it presents some significant issues as well. The current way OCSP is implemented by browsers brings up three major concerns (privacy, performance and potential point of failure).

One step in OCSP is to check the validity of your security certificate with a third party server.

It is important to note that you as a webmaster have no control over the way browsers implement this step unless you are using stapling.

 

If you are not using OCSP stapling you will currently have these three issues:

 

Privacy:

When a browser is checking the status of a certificate by querying a OCSP server, it can potentially affect the privacy of a user by collecting the reequests and determining where, when and by who they were made.

Performance:

OCSP adds an additional request to the process of serving a webpage. This additional request makes a user wait longer to see your webpage. Depending on how slow the OCSP server is behaving, that additional time can be a real issue.

Potential Point of Failure:

As explained above, the OCSP system browsers use adds an additional step of querying a OCSP server, this means that there is now a third party involved that you as a webmaster have no control over. So if the OCSP server is failing, this can have consequenses for you and your users even if your server is up and running perfectly.

These issues can be resolved by OCSP stapling, but it must be implemented on your server to reap the rewards.
 

What OCSP Stapling does

 
Let’s explore the difference between two connections, one made with OCSP and one made with OCSP stapling.

In a normal OCSP connection without stapling (the way browsers are doing it right now)

There are basically three steps to get to validating a security certificate, involving your server, the web browser and the a third party OCSP server.

When you put the user in the equation it looks something like this…

1. A browser will get a request from a user to visit example.com
2. The browser requests the page from example.com
3. Browser receives a response from example.com indicating it is a secure page
4. Browser then will contact a OCSP server to see if example.com certificate is valid
5. Once the browser verifies the certificate is valid, it will show user the page

In a OCSP connection with stapling

There are basically two steps to get to validating a security certificate which only requires the web browser and your web server (no third party required).
OCSP using a third party sever
With the user in the equation it looks something like this…

1. A browser will get a request from a user to visit example.com
2. The browser requests the page from example.com
3. Browser receives a response from example.com indicating it is a secure page with a valid certificate and shows user the page
 

Advantages of OCSP stapling

 
When a server is properly configured to use OCSP there are…

Performance gains – one less server to deal with

Privacy gains – no third parties involved in your traffic

Less possible points of failure – The less things involved with your traffic, the less that can go wrong
 

Control Issues

 
It seems natural to me to implement OCSP stapling if only to have control of my own traffic.

I do not want to depend on third party servers I do not control. Nobody does, yet that is exactly what is occurring if you are not using OCSP stapling, you are handing some control over to third parties that you may or may not be able to rely on.

 

See more of our HTTPS articles