Table of contents of the article:
The security of communications is a topic of fundamental importance, especially in an era in which information is exchanged on the Internet at an ever-increasing rate. Public key cryptography is a technology that plays a vital role in protecting information exchanged on the internet.
Public key cryptography, also known as asymmetric cryptography, uses two different keys to encrypt and decrypt information: a public key and a private key. The public key is accessible to anyone, while the private key is known only to the owner of the key. This helps protect information exchanged over public networks such as the internet, preventing anyone from decrypting messages without the private key.
One of the most common ways to use public key cryptography is through the HTTPS protocol. HTTPS uses SSL/TLS encryption to secure the communication between a web server and a browser, making it difficult for hackers to intercept and decipher the information exchanged between the website and the browser. HTTPS is essential for protecting sensitive data such as payment information and user credentials.
HTTPS (HyperText Transfer Protocol Secure) is a secure version of the HTTP protocol used for communication between a web server and a browser. HTTPS uses SSL/TLS (Secure Sockets Layer/Transport Layer Security) encryption to protect the privacy and security of the information exchanged between the web server and the browser.
An SSL (Secure Sockets Layer) certificate is a data file that is used to authenticate the identity of the website and encrypt the information exchanged between the web server and the browser. The SSL certificate contains information such as the website's domain name, expiration date, and the website's public key.
The SSL certificate is issued by a Certificate Authority (CA), an organization that guarantees the authenticity of the website and the validity of the SSL certificate. When a browser accesses a website secured by HTTPS, it verifies the validity of the website's SSL certificate and if it is valid, establishes a secure connection with the web server using SSL/TLS encryption.
Simply put, HTTPS and an SSL certificate are essential to ensure the security and privacy of information exchanged between a website and a browser. They protect against theft of sensitive information, cyber attacks and guarantee the authenticity of the website.
The protocol Online Certificate Status Protocol (OCSP) is a mechanism used to check whether an SSL/TLS certificate has been revoked or not. Practically, whenever a browser connects to an SSL/TLS-secured website, the certificate is checked to ensure it has not been revoked. This process can take some time, as the browser has to contact the OCSP server to check the status of the certificate.
To reduce the connection time and improve the website loading speed, the OCSP stapling mechanism has been developed. In this article we will explore what OCSP stapling is and what benefits it can offer in terms of speed for a website.
What is OCSP and what is it for?
Online Certificate Status Protocol (OCSP) is a security protocol used to check the validity status of an SSL/TLS digital certificate. The protocol makes it possible to verify the validity of a digital certificate in real time, without having to rely on a certificate revocation list (CRL).
Traditionally, a CRL containing the list of revoked certificates was used to verify the validity of a digital certificate. The problem with this solution is that the CRL needs to be updated regularly, which can be a problem when dealing with large numbers of certificates. Also, accessing the CRL requires a network connection, which can slow down certificate verification.
OCSP solves these problems by allowing clients to request the validity status of a digital certificate directly from the OCSP server, which responds with the certificate's status. This process is known as OCSP Stapling.
Basically, when a browser accesses a website secured by SSL/TLS, the server also sends an OCSP response along with the certificate. This way, the browser can immediately check the validity status of the certificate without having to make an additional connection to the OCSP server.
What is OCSP stapling?
OCSP stapling is a mechanism that allows the web server to send the SSL/TLS certificate status check response directly to the browser, eliminating the need to contact the OCSP server. In essence, the web server "prints" the OCSP response to the SSL/TLS connection, eliminating the need for the browser to make a separate OCSP request.
In other words, the web server hosting the website regularly updates the OCSP response for the SSL/TLS certificate and "staples" (i.e. clamps) this response into the HTTPS response during the SSL/TLS handshake process. This way, the browser receives the OCSP response along with the HTTPS response, eliminating the need for a separate OCSP request.
What are the benefits of OCSP stapling?
OCSP stapling offers several speed and security benefits for a website. Here are some of the top reasons why OCSP stapling has become increasingly popular with website owners:
Improve website loading speed
As mentioned above, using OCSP stapling can significantly reduce your connection time and improve website loading speed. Because the browser doesn't have to contact the OCSP server separately to check the status of the certificate, OCSP stapling reduces the number of network requests needed to establish an SSL/TLS connection. This means that the website loads faster, which improves the user experience.
Although the gain obtained may seem very small, from our benchmarks on 100 megabit connections we have had an indicative improvement of 10 – 15 ms, it is also true that in cases of very extreme and maniacal optimizations (as occurs, for example, in all our customers with publishing products) saving 10 – 15 ms leads to a response time within the Browser of less than 40ms where 60ms was needed.
Although it may be an overlooked and negligible feature when dealing with TTFB greater than 60ms, it is true that together with the QUIC protocol becomes the icing on the cake to further lower the latency of the responses from the Certification Authorities, the main ones of which we can see in the graph above.
Protects against OCSP attacks
Using OCSP stapling also protects the website from OCSP attacks. Since the OCSP response is sent directly from the web server to the browser, it is not possible to attack the OCSP server using man-in-the-middle attacks or denial-of-service (DoS) attacks to disrupt OCSP responses.
Reduces connection latency
Finally, using OCSP stapling also reduces connection latency. Since the OCSP response is stapled to the SSL/TLS connection, the browser receives the OCSP response along with the HTTPS response during the handshake process. This means that the OCSP response is ready and available when the browser needs to check the certificate status, reducing the latency time between the browser request and the server response.
How to implement OCSP stapling on website?
The implementation of OCSP stapling depends on the web server used to host the website. However, most web servers support OCSP stapling, including Apache, Nginx, IIS, and others. In general, implementing OCSP stapling involves two main steps:
-
Enable OCSP stapling on the web server
The first step is to enable OCSP stapling on the web server. Typically, this requires adding a configuration line to the web server configuration file. For example, if you are using Apache, you can enable OCSP stapling by adding the following line to your configuration file:
SSLUseStapling on
-
Verify that OCSP stapling is functional
The second step is to verify that OCSP stapling is working on the website. This can be done using online SSL/TLS connection testing tools, such as SSL Labs. These tools provide detailed information about configuring your SSL/TLS connection, including enabling OCSP stapling.
All our webservers are configured to support OCSP Stapling and the best enterprise-class web acceleration technologies.
