OCSP Stapling in Firefox

David Keeler

5

OCSP Stapling has landed in the latest Nightly builds of Firefox! OCSP stapling is a mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner.
Revocation information is important because at any time after a certificate has been issued, it may no longer be appropriate to trust it. For instance, maybe the CA that issued the certificate realizes it put incorrect information on it. Maybe the website operators lose control of their private key, or it gets stolen. More benignly, maybe the domain was transferred to a new owner.
The Online Certificate Status Protocol (OCSP) is one method for obtaining certificate revocation information. When presented with a certificate, the browser asks the issuing CA if there are any problems with it. If the certificate is fine, the CA can respond with a signed assertion that the certificate is still valid. If it has been revoked, however, the CA can say so by the same mechanism.
OCSP prevents an attack
OCSP has a few drawbacks. First, it slows down new HTTPS connections. When the browser encounters a new certificate, it has to make an additional request to a server operated by the CA. Second, it leaks to the CA what HTTPS sites the user visits, which is concerning from a privacy perspective. Additionally, if the browser cannot connect to the CA, it must choose between two undesirable options. It can terminate the connection on the assumption that something is wrong, which decreases usability. Or, it can continue the connection, which defeats the purpose of doing this kind of revocation checking. By default, Firefox currently continues the connection. The about:config option security.OCSP.require can be set to true to have Firefox terminate the connection instead.
OCSP stapling solves these problems by having the site itself periodically ask the CA for a signed assertion of status and sending that statement in the handshake at the beginning of new HTTPS connections. The browser takes that signed, stapled response, verifies it, and uses it to determine if the site’s certificate is still trustworthy. If not, it knows that something is wrong and it must terminate the connection. Otherwise, the certificate is fine and the user can connect to the site.
site asks CA for certificate status
OCSP stapling
If Firefox requests but does not receive a stapled response, it falls back to normal OCSP fetching. This means that while OCSP stapling protects against mistakes and many basic attacks, it does not prevent attacks involving more complete network control. For instance, if an attacker with a stolen certificate were able to block connections to the CA OCSP responder while running their own server that doesn’t do OCSP stapling, the user would not be alerted that the certificate had been revoked. A new proposal currently referred to as “OCSP-must-staple” is intended to handle this case by giving sites a way of saying “any connection to this site must include a stapled OCSP response”. This is still in development.
OCSP stapling works with all CAs that support OCSP. OCSP stapling has been implemented in popular web servers including nginx and Apache. If you run a website, consider turning on OCSP stapling to protect your users. If you use Firefox Nightly, enjoy the increased security, privacy, and performance benefits!

5 responses

  1. Koen wrote on :

    I fail to see how exactly this will enhance privacy, except in the case where the ‘new owner’ of a private key could gather information about you.

    In most cases I think this will degrade privacy, since it will give CA’s a lot of information about who (who here is at least an IP, but probably more) visits which sites.

    Having said that, sounds interesting none the less.

    // Koen

    1. Lincoln DeCoursey wrote on :

      There’s two things here. OCSP is what involves doing the realtime lookup to see if a certificate has been revoked. This has already been around and is what causes the privacy concern. OCSP Stapling is the thing that’s new here. Stapling allows the domain owner to self-host the revocation query. This basically addresses the privacy concern.

      1. dkeeler wrote on :

        Thanks for the clarification, Lincoln!

  2. sep332 wrote on :

    I know the examples are hard-coded into the images by now, but in future, please use “example.com” instead of site.com, since site.com is a real website. Thanks!

    1. dkeeler wrote on :

      Done – thanks for the tip!