May 13, 2016
OCSP stapling is a method for quickly and safely determining whether or not an SSL certificate is valid. It allows a web server to provide information on the validity of its own certificates rather than having to request the information from the certificate’s vendor.
Although encrypted web traffic protects users, it requires additional steps to verify integrity and confidentiality. One of these steps is determining whether or not the SSL certificate used to secure a website is still valid, or whether it has expired or been revoked.
The only way to verify the current status of a certificate is to ask its vendor. Since the vendor maintains key information about the certificate including expiration date and any actions performed on the certificate, browsers ensure user safety by requesting certificate information from the vendor instead of from the web server.
How OCSP Stapling Works
The Online Certificate Status Protocol (or OCSP) is a way for a web browser to determine the validity of an SSL certificate by verifying with the vendor of the certificate. While OCSP improves security, it causes websites to load slower since the browser has to communicate with the web server and the vendor. With OCSP stapling, the web server downloads a copy of the vendor’s response which it can deliver directly to the browser.
Here’s a rundown of how OCSP stapling works:
- A web server hosting an SSL-encrypted website queries the certificate vendor. The vendor responds with the status of the certificate and a digitally signed time-stamp. Digitally signing the response makes it difficult for the web server to modify it.
- When a web browser connects to the server, the server bundles (or “staples”) the vendor’s signed time-stamp with the SSL certificate.
- The browser verifies the time-stamp. Since the time-stamp is signed by the vendor, the browser can trust the time-stamp to provide a valid status.
- Based on the OCSP response, the browser either opens the page or shows an error message to the user.
OCSP stapling shifts the burden of handling OCSP requests from certificate vendors to web hosts. By doing so, it helps SSL connections perform faster while preventing users from transmitting sensitive browsing information to third parties.
Example of OCSP Stapling
Say a user decides to visit MaxCDN.com. Since the website is SSL encrypted, the status of the certificate needs to be determined by the certificate’s vendor (in this case, GoDaddy.com). With plain OCSP, the browser would query GoDaddy directly, resulting in a slower load time. Additionally, the user would have to provide GoDaddy with MaxCDN’s URL, which allows GoDaddy to determine who browsed which site at which time.
With OCSP stapling, MaxCDN periodically queries GoDaddy and caches a response which is then provided to the browser. The age of the response is verified by the time-stamp and the vendor’s digital certificate, preventing the server from tampering with the response. More importantly, OCSP stapling allows the website to load faster while ensuring the user’s privacy.
Benefits of OCSP Stapling
OCSP stapling ensures the safety and privacy of confidential data with minimal intervention from web hosts.
- Users experience faster load times for secure content since their browsers have to make fewer third party requests.
- Enterprises see higher customer satisfaction since secure content can be delivered to users more quickly.
Enabling OCSP Stapling
OCSP stapling is supported by most modern web browsers and is enabled by default in IIS. For Apache and Nginx, enabling OCSP stapling requires additional directives in the site’s virtual host file.
With the increasing severity of attacks on the web’s infrastructure, enterprises need to find ways to increase security without impacting the user experience. As of May 2013, only 21% of SSL certificates included OCSP responses. Adding OCSP stapling can improve security while giving a business a performance boost over its competitors.
In the digital world, there are very few opportunities to simultaneously improve security and performance. OCSP stapling makes it easy to do both.