The Revocation Mechanism Has Been Blamed for Delayed Page Loads
Mozilla will be experimenting with disabling OCSP checking due to performance concerns. OCSP, or Online Certificate Status Protocol, is one of the technical mechanisms used to check if a certificate has been revoked.
The change will be made in an upcoming version of Nightly – a pre-release version of Firefox dedicated to testing new features. If telemetry data shows that it’s best to disable OCSP checking for DV and OV certificates because it reduces the total time of the handshake, it will be brought to the consumer release of Firefox.
This will bring Firefox to par with other major browsers, including Chrome and Safari, which
OCSP Stapling – where the server provides the OCSP response directly to the client – will not be affected. Firefox will also continue to fetch OCSP responses for EV (Extended Validation) certificates.
OCSP has long been criticized as being broken. Because of the operational challenges of deploying the service at a global scale, OCSP often ends up in a situation where it “soft-fails” – meaning in the case that an OCSP check isn’t completed (because the server is down or the connection times out) the certificate is assumed to be valid. With soft-fail, it’s hard to see how OCSP provides any security benefits. Adam Langley, an engineer at Google, compared this problem to “a seat-belt that snaps when you crash.”
According to Mozilla’s telemetry, nearly 9% of successful OCSP checks take more than 1 second. This second adds to the time it takes to establish the SSL/TLS handshake, and represents a significant increase to overall load time.
In a very small number of cases (less than .05% of the time), a successful check takes over 3 seconds. While that is a very low rate it represents more than 4 million page loads.
Coincidently, Let’s Encrypt’s OCSP service failed earlier this month for about 12 hours, causing performance issues for websites using their certificates. Last year the CA GlobalSign also suffered an issue related to their OCSP servers. These incidents issues raise questions about the net value of OCSP and if it’s causing more harm than good.
David Keeler, a security engineer at Mozilla, wrote that “the plan is to monitor telemetry to see if this impacts TLS handshake time.” If there is a performance improvement, they will move forward with disabling the check in all versions of Firefox.
Improvements to OCSP were designed years ago – two additions to the protocol known as Stapling and Must-Staple intended to fix the performance, security, and privacy issues. However, Apache and NGINX, which are the most commonly used webservers, either implement these features poorly or not at all.