March 12 2023

What is OCSP Stapling and what are the speed benefits for a website?

How to eliminate waiting times for certificate revocation verification using the OCSP Stapling method.

OCSP-certificate-stapling

The security of communications is a topic of fundamental importance, especially in an era in which information is exchanged on the Internet at an ever-increasing rate. Public key cryptography is a technology that plays a vital role in protecting information exchanged on the internet.

Public key cryptography, also known as asymmetric cryptography, uses two different keys to encrypt and decrypt information: a public key and a private key. The public key is accessible to anyone, while the private key is known only to the owner of the key. This helps protect information exchanged over public networks such as the internet, preventing anyone from decrypting messages without the private key.

One of the most common ways to use public key cryptography is through the HTTPS protocol. HTTPS uses SSL/TLS encryption to secure the communication between a web server and a browser, making it difficult for hackers to intercept and decipher the information exchanged between the website and the browser. HTTPS is essential for protecting sensitive data such as payment information and user credentials.

HTTPS (HyperText Transfer Protocol Secure) is a secure version of the HTTP protocol used for communication between a web server and a browser. HTTPS uses SSL/TLS (Secure Sockets Layer/Transport Layer Security) encryption to protect the privacy and security of the information exchanged between the web server and the browser.

An SSL (Secure Sockets Layer) certificate is a data file that is used to authenticate the identity of the website and encrypt the information exchanged between the web server and the browser. The SSL certificate contains information such as the website's domain name, expiration date, and the website's public key.

The SSL certificate is issued by a Certificate Authority (CA), an organization that guarantees the authenticity of the website and the validity of the SSL certificate. When a browser accesses a website secured by HTTPS, it verifies the validity of the website's SSL certificate and if it is valid, establishes a secure connection with the web server using SSL/TLS encryption.

Simply put, HTTPS and an SSL certificate are essential to ensure the security and privacy of information exchanged between a website and a browser. They protect against theft of sensitive information, cyber attacks and guarantee the authenticity of the website.

The protocol Online Certificate Status Protocol (OCSP) is a mechanism used to check whether an SSL/TLS certificate has been revoked or not. Practically, whenever a browser connects to an SSL/TLS-secured website, the certificate is checked to ensure it has not been revoked. This process can take some time, as the browser has to contact the OCSP server to check the status of the certificate.

To reduce the connection time and improve the website loading speed, the OCSP stapling mechanism has been developed. In this article we will explore what OCSP stapling is and what benefits it can offer in terms of speed for a website.

What is OCSP and what is it for?

Online Certificate Status Protocol (OCSP) is a security protocol used to check the validity status of an SSL/TLS digital certificate. The protocol makes it possible to verify the validity of a digital certificate in real time, without having to rely on a certificate revocation list (CRL).

Traditionally, a CRL containing the list of revoked certificates was used to verify the validity of a digital certificate. The problem with this solution is that the CRL needs to be updated regularly, which can be a problem when dealing with large numbers of certificates. Also, accessing the CRL requires a network connection, which can slow down certificate verification.

OCSP solves these problems by allowing clients to request the validity status of a digital certificate directly from the OCSP server, which responds with the certificate's status. This process is known as OCSP Stapling.

Basically, when a browser accesses a website secured by SSL/TLS, the server also sends an OCSP response along with the certificate. This way, the browser can immediately check the validity status of the certificate without having to make an additional connection to the OCSP server.

What is OCSP stapling?

OCSP stapling is a mechanism that allows the web server to send the SSL/TLS certificate status check response directly to the browser, eliminating the need to contact the OCSP server. In essence, the web server "prints" the OCSP response to the SSL/TLS connection, eliminating the need for the browser to make a separate OCSP request.

OCSP Stapling

In other words, the web server hosting the website regularly updates the OCSP response for the SSL/TLS certificate and "staples" (i.e. clamps) this response into the HTTPS response during the SSL/TLS handshake process. This way, the browser receives the OCSP response along with the HTTPS response, eliminating the need for a separate OCSP request.

What are the benefits of OCSP stapling?

OCSP stapling offers several speed and security benefits for a website. Here are some of the top reasons why OCSP stapling has become increasingly popular with website owners:

Improve website loading speed

As mentioned above, using OCSP stapling can significantly reduce your connection time and improve website loading speed. Because the browser doesn't have to contact the OCSP server separately to check the status of the certificate, OCSP stapling reduces the number of network requests needed to establish an SSL/TLS connection. This means that the website loads faster, which improves the user experience.

Although the gain obtained may seem very small, from our benchmarks on 100 megabit connections we have had an indicative improvement of 10 – 15 ms, it is also true that in cases of very extreme and maniacal optimizations (as occurs, for example, in all our customers with publishing products) saving 10 – 15 ms leads to a response time within the Browser of less than 40ms where 60ms was needed.

Although it may be an overlooked and negligible feature when dealing with TTFB greater than 60ms, it is true that together with the QUIC protocol becomes the icing on the cake to further lower the latency of the responses from the Certification Authorities, the main ones of which we can see in the graph above.

Protects against OCSP attacks

Using OCSP stapling also protects the website from OCSP attacks. Since the OCSP response is sent directly from the web server to the browser, it is not possible to attack the OCSP server using man-in-the-middle attacks or denial-of-service (DoS) attacks to disrupt OCSP responses.

Reduces connection latency

Finally, using OCSP stapling also reduces connection latency. Since the OCSP response is stapled to the SSL/TLS connection, the browser receives the OCSP response along with the HTTPS response during the handshake process. This means that the OCSP response is ready and available when the browser needs to check the certificate status, reducing the latency time between the browser request and the server response.

How to implement OCSP stapling on website?

The implementation of OCSP stapling depends on the web server used to host the website. However, most web servers support OCSP stapling, including Apache, Nginx, IIS, and others. In general, implementing OCSP stapling involves two main steps:

  1. Enable OCSP stapling on the web server

The first step is to enable OCSP stapling on the web server. Typically, this requires adding a configuration line to the web server configuration file. For example, if you are using Apache, you can enable OCSP stapling by adding the following line to your configuration file:

SSLUseStapling on

  1. Verify that OCSP stapling is functional

The second step is to verify that OCSP stapling is working on the website. This can be done using online SSL/TLS connection testing tools, such as SSL Labs. These tools provide detailed information about configuring your SSL/TLS connection, including enabling OCSP stapling.

Qualys SSL Labs

All our webservers are configured to support OCSP Stapling and the best enterprise-class web acceleration technologies.

Do you have doubts? Don't know where to start? Contact us!

We have all the answers to your questions to help you make the right choice.

Chat with us

Chat directly with our presales support.

0256569681

Contact us by phone during office hours 9:30 - 19:30

Contact us online

Open a request directly in the contact area.

INFORMATION

Managed Server Srl is a leading Italian player in providing advanced GNU/Linux system solutions oriented towards high performance. With a low-cost and predictable subscription model, we ensure that our customers have access to advanced technologies in hosting, dedicated servers and cloud services. In addition to this, we offer systems consultancy on Linux systems and specialized maintenance in DBMS, IT Security, Cloud and much more. We stand out for our expertise in hosting leading Open Source CMS such as WordPress, WooCommerce, Drupal, Prestashop, Joomla, OpenCart and Magento, supported by a high-level support and consultancy service suitable for Public Administration, SMEs and any size.

Red Hat, Inc. owns the rights to Red Hat®, RHEL®, RedHat Linux®, and CentOS®; AlmaLinux™ is a trademark of AlmaLinux OS Foundation; Rocky Linux® is a registered trademark of the Rocky Linux Foundation; SUSE® is a registered trademark of SUSE LLC; Canonical Ltd. owns the rights to Ubuntu®; Software in the Public Interest, Inc. holds the rights to Debian®; Linus Torvalds holds the rights to Linux®; FreeBSD® is a registered trademark of The FreeBSD Foundation; NetBSD® is a registered trademark of The NetBSD Foundation; OpenBSD® is a registered trademark of Theo de Raadt. Oracle Corporation owns the rights to Oracle®, MySQL®, and MyRocks®; Percona® is a registered trademark of Percona LLC; MariaDB® is a registered trademark of MariaDB Corporation Ab; REDIS® is a registered trademark of Redis Labs Ltd. F5 Networks, Inc. owns the rights to NGINX® and NGINX Plus®; Varnish® is a registered trademark of Varnish Software AB. Adobe Inc. holds the rights to Magento®; PrestaShop® is a registered trademark of PrestaShop SA; OpenCart® is a registered trademark of OpenCart Limited. Automattic Inc. owns the rights to WordPress®, WooCommerce®, and JetPack®; Open Source Matters, Inc. owns the rights to Joomla®; Dries Buytaert holds the rights to Drupal®. Amazon Web Services, Inc. holds the rights to AWS®; Google LLC holds the rights to Google Cloud™ and Chrome™; Microsoft Corporation holds the rights to Microsoft®, Azure®, and Internet Explorer®; Mozilla Foundation owns the rights to Firefox®. Apache® is a registered trademark of The Apache Software Foundation; PHP® is a registered trademark of the PHP Group. CloudFlare® is a registered trademark of Cloudflare, Inc.; NETSCOUT® is a registered trademark of NETSCOUT Systems Inc.; ElasticSearch®, LogStash®, and Kibana® are registered trademarks of Elastic NV Hetzner Online GmbH owns the rights to Hetzner®; OVHcloud is a registered trademark of OVH Groupe SAS; cPanel®, LLC owns the rights to cPanel®; Plesk® is a registered trademark of Plesk International GmbH; Facebook, Inc. owns the rights to Facebook®. This site is not affiliated, sponsored or otherwise associated with any of the entities mentioned above and does not represent any of these entities in any way. All rights to the brands and product names mentioned are the property of their respective copyright holders. Any other trademarks mentioned belong to their registrants. MANAGED SERVER® is a trademark registered at European level by MANAGED SERVER SRL, Via Enzo Ferrari, 9, 62012 Civitanova Marche (MC), Italy.

JUST A MOMENT !

Would you like to see how your WooCommerce runs on our systems without having to migrate anything? 

Enter the address of your WooCommerce site and you will get a navigable demonstration, without having to do absolutely anything and completely free.

No thanks, my customers prefer the slow site.
Back to top