Firefox Will Disable OCSP Checking for DV and OV Certificates
The Revocation Mechanism Has Been Blamed for Delayed Page Loads
Mozilla will be experimenting with disabling OCSP checking due to performance concerns. OCSP, or Online Certificate Status Protocol, is one of the technical mechanisms used to check if a certificate has been revoked.
The change will be made in an upcoming version of Nightly – a pre-release version of Firefox dedicated to testing new features. If telemetry data shows that it’s best to disable OCSP checking for DV and OV certificates because it reduces the total time of the handshake, it will be brought to the consumer release of Firefox.
This will bring Firefox to par with other major browsers, including Chrome and Safari, which
OCSP Stapling – where the server provides the OCSP response directly to the client – will not be affected. Firefox will also continue to fetch OCSP responses for EV (Extended Validation) certificates.
OCSP has long been criticized as being broken. Because of the operational challenges of deploying the service at a global scale, OCSP often ends up in a situation where it “soft-fails” – meaning in the case that an OCSP check isn’t completed (because the server is down or the connection times out) the certificate is assumed to be valid. With soft-fail, it’s hard to see how OCSP provides any security benefits. Adam Langley, an engineer at Google, compared this problem to “a seat-belt that snaps when you crash.”
According to Mozilla’s telemetry, nearly 9% of successful OCSP checks take more than 1 second. This second adds to the time it takes to establish the SSL/TLS handshake, and represents a significant increase to overall load time.
In a very small number of cases (less than .05% of the time), a successful check takes over 3 seconds. While that is a very low rate it represents more than 4 million page loads.
Coincidently, Let’s Encrypt’s OCSP service failed earlier this month for about 12 hours, causing performance issues for websites using their certificates. Last year the CA GlobalSign also suffered an issue related to their OCSP servers. These incidents issues raise questions about the net value of OCSP and if it’s causing more harm than good.
David Keeler, a security engineer at Mozilla, wrote that “the plan is to monitor telemetry to see if this impacts TLS handshake time.” If there is a performance improvement, they will move forward with disabling the check in all versions of Firefox.
Improvements to OCSP were designed years ago – two additions to the protocol known as Stapling and Must-Staple intended to fix the performance, security, and privacy issues. However, Apache and NGINX, which are the most commonly used webservers, either implement these features poorly or not at all.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown