Online Certificate Status Protocol Headaches

In the past months I have had clients complain about their websites (all using SSL certificates) loading slowly. During our investigation we discovered that if we disable OCSP on their browsers, the issues goes away.

So what is OCSP – it is one of two common schemes for maintaining the security of a server and other network resources. This internet protocol is used for obtaining the revocation status of a digital certificate – in my case it confirms that the SSL certificates used on some of my hosted sites are valid certifications.

While I didn’t understand why my clients all of a sudden started having this problem, I was able to get some information from our server administrator on the subject.

“OCSP is still very controversial, its efficacy, and long term adoption is far from certain, having it enabled is a Security risk itself. By disabling it a small window of risk is being acknowledged and accepted. OCSP options like stapling are not widely tested or deployed yet. They have been proposed since 2007 but Mozilla has not been able to give away $30,000 in grant money to get it integrated into Apache 2.2. Only an experimental version for 2.3-beta is available and has been exploited twice in the early part of this year — to produce DOS attacks. Disabling OCSP does not disable encryption, it disables one of three methods of third party validation of a certificate used to verify a servers name as legitimate. It did not exist three years ago and was merely a proposed RFC seized upon to rescue the reputation of SSL after the Comodo incident in April of 2011 it is one of many ways of verifying a certificate.”

It will be interesting to see how this will play out in the upcoming year. The biggest problem with my solution is that it only works in an environment where you can control the client’s desktop environment. 

Leave a Reply