Firefox Will Disable OCSP Checking for DV and OV Certificates
The Revocation Mechanism Has Been Blamed for Delayed Page Loads
Mozilla will be experimenting with disabling OCSP checking due to performance concerns. OCSP, or Online Certificate Status Protocol, is one of the technical mechanisms used to check if a certificate has been revoked.
The change will be made in an upcoming version of Nightly – a pre-release version of Firefox dedicated to testing new features. If telemetry data shows that it’s best to disable OCSP checking for DV and OV certificates because it reduces the total time of the handshake, it will be brought to the consumer release of Firefox.
This will bring Firefox to par with other major browsers, including Chrome and Safari, which
OCSP Stapling – where the server provides the OCSP response directly to the client – will not be affected. Firefox will also continue to fetch OCSP responses for EV (Extended Validation) certificates.
OCSP has long been criticized as being broken. Because of the operational challenges of deploying the service at a global scale, OCSP often ends up in a situation where it “soft-fails” – meaning in the case that an OCSP check isn’t completed (because the server is down or the connection times out) the certificate is assumed to be valid. With soft-fail, it’s hard to see how OCSP provides any security benefits. Adam Langley, an engineer at Google, compared this problem to “a seat-belt that snaps when you crash.”
According to Mozilla’s telemetry, nearly 9% of successful OCSP checks take more than 1 second. This second adds to the time it takes to establish the SSL/TLS handshake, and represents a significant increase to overall load time.
In a very small number of cases (less than .05% of the time), a successful check takes over 3 seconds. While that is a very low rate it represents more than 4 million page loads.
Coincidently, Let’s Encrypt’s OCSP service failed earlier this month for about 12 hours, causing performance issues for websites using their certificates. Last year the CA GlobalSign also suffered an issue related to their OCSP servers. These incidents issues raise questions about the net value of OCSP and if it’s causing more harm than good.
David Keeler, a security engineer at Mozilla, wrote that “the plan is to monitor telemetry to see if this impacts TLS handshake time.” If there is a performance improvement, they will move forward with disabling the check in all versions of Firefox.
Improvements to OCSP were designed years ago – two additions to the protocol known as Stapling and Must-Staple intended to fix the performance, security, and privacy issues. However, Apache and NGINX, which are the most commonly used webservers, either implement these features poorly or not at all.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018in Hashing Out Cyber Security
How to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chromein Everything Encryption
Re-Hashed: How to Fix SSL Connection Errors on Android Phonesin Everything Encryption
Cloud Security: 5 Serious Emerging Cloud Computing Threats to Avoidin ssl certificates
This is what happens when your SSL certificate expiresin Everything Encryption
Re-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Messagein Hashing Out Cyber Security
Report it Right: AMCA got hacked – Not Quest and LabCorpin Hashing Out Cyber Security
Re-Hashed: How to clear HSTS settings in Chrome and Firefoxin Everything Encryption
Re-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithmsin Everything Encryption
The Difference Between Root Certificates and Intermediate Certificatesin Everything Encryption
The difference between Encryption, Hashing and Saltingin Everything Encryption
Re-Hashed: How To Disable Firefox Insecure Password Warningsin Hashing Out Cyber Security
Cipher Suites: Ciphers, Algorithms and Negotiating Security Settingsin Everything Encryption
The Ultimate Hacker Movies List for December 2020in Hashing Out Cyber Security Monthly Digest
Anatomy of a Scam: Work from home for Amazonin Hashing Out Cyber Security
The Top 9 Cyber Security Threats That Will Ruin Your Dayin Hashing Out Cyber Security
How strong is 256-bit Encryption?in Everything Encryption
Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3in Everything Encryption
How to View SSL Certificate Details in Chrome 56in Industry Lowdown
PayPal Phishing Certificates Far More Prevalent Than Previously Thoughtin Industry Lowdown