How OCSP stapling works and why you should use it

OCSP stapling is an optional feature on most server types, often enabled by default.

Let’s find out what it is, how it works, and why you should use it.

What is OCSP stapling?

SSL certificates encrypt Web communications so we can trust websites with our private information.

But how do we know which SSL certificates to trust?

Well, web browsers know to only trust SSL certificates issued by a trusted Certificate Authority (CA) via a protocol called Online Certificate Status Protocol (OCSP).

More specifically, OCSP obtains the revocation status of an SSL certificate and provides it to the web browser.

OCSP stapling was designed later as a faster, more efficient method of OCSP than the original protocol and is now considered the standard.

How does it work?

With regular OCSP, to check a website’s SSL certificate status, the web browser queries the CA which issued the SSL certificate.

As a result, the web browser makes a connection to the website and the CA.

However, OCSP stapling means the web server hosting the SSL-secured website queries the CA periodically and informs web browsers of its SSL certificate status itself.

This means faster connection times to the website as web browsers do not communicate with any third-parties (the CA).

The only connection required is the web browser to the website.

Let’s break it down:

  1. The web server hosting the SSL-secured website queries the CA which issued its SSL certificate.
  2. The CA responds with the status of the SSL certificate; the status is digitally signed and time-stamped for authenticity.
  3. The web server ‘staples’ the CA’s signed status to the website’s SSL certificate.
  4. A user connects to the website, and their web browser checks the SSL certificate’s status via the staple. Since the CA signed the status, the web browser can trust it.
  5. The web browser reacts to the status and either opens the webpage (if the SSL certificate is valid) or displays a warning/error message (if invalid).
Image source: www.ctrl.blog/entry/ocsp-httpd-selinux.html

Why you should use OCSP stapling

OCSP stapling means providing website visitors with better security at faster speeds.

Users experience faster load times on encrypted content due to no direct connections between the web browser and CA.

This is especially important for high-traffic websites.

Under traditional OCSP — if a hundred people are querying a website’s SSL certificate status simultaneously, this means a lot of third-party requests sent from your website to the CA.

Consequently, this means slower response times and user speeds on the website.

With OCSP stapling, the web server simply queries the CA periodically and staples the status result.

Thus, those hundred web browsers can verify the SSL certificate status quickly via that staple — no individual queries.

OCSP stapling is also better for user privacy.

To perform the status check under traditional OCSP, the URL the user is trying to access is supplied by their web browser to the CA.

With OCSP stapling, the web server queries the SSL certificate status itself, so the CA never knows which user is accessing which URL.

For that reason, the protocol also provides better web anonymity.

How Useful Was This Post?

Let Us Know How We Are Doing - Click A Star To Rate This Post

Average Vote Rating / 5. Vote Count :