OCSP Stapling has landed in the latest Nightly builds of Firefox! OCSP stapling is a mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner.
Revocation information is important because at any time after a certificate has been issued, it may no longer be appropriate to trust it. For instance, maybe the CA that issued the certificate realizes it put incorrect information on it. Maybe the website operators lose control of their private key, or it gets stolen. More benignly, maybe the domain was transferred to a new owner.
The Online Certificate Status Protocol (OCSP) is one method for obtaining certificate revocation information. When presented with a certificate, the browser asks the issuing CA if there are any problems with it. If the certificate is fine, the CA can respond with a signed assertion that the certificate is still valid. If it has been revoked, however, the CA can say so by the same mechanism.
OCSP has a few drawbacks. First, it slows down new HTTPS connections. When the browser encounters a new certificate, it has to make an additional request to a server operated by the CA. Second, it leaks to the CA what HTTPS sites the user visits, which is concerning from a privacy perspective. Additionally, if the browser cannot connect to the CA, it must choose between two undesirable options. It can terminate the connection on the assumption that something is wrong, which decreases usability. Or, it can continue the connection, which defeats the purpose of doing this kind of revocation checking. By default, Firefox currently continues the connection. The about:config option security.OCSP.require can be set to true to have Firefox terminate the connection instead.
OCSP stapling solves these problems by having the site itself periodically ask the CA for a signed assertion of status and sending that statement in the handshake at the beginning of new HTTPS connections. The browser takes that signed, stapled response, verifies it, and uses it to determine if the site’s certificate is still trustworthy. If not, it knows that something is wrong and it must terminate the connection. Otherwise, the certificate is fine and the user can connect to the site.
If Firefox requests but does not receive a stapled response, it falls back to normal OCSP fetching. This means that while OCSP stapling protects against mistakes and many basic attacks, it does not prevent attacks involving more complete network control. For instance, if an attacker with a stolen certificate were able to block connections to the CA OCSP responder while running their own server that doesn’t do OCSP stapling, the user would not be alerted that the certificate had been revoked. A new proposal currently referred to as “OCSP-must-staple” is intended to handle this case by giving sites a way of saying “any connection to this site must include a stapled OCSP response”. This is still in development.
OCSP stapling works with all CAs that support OCSP. OCSP stapling has been implemented in popular web servers including nginx and Apache. If you run a website, consider turning on OCSP stapling to protect your users. If you use Firefox Nightly, enjoy the increased security, privacy, and performance benefits!
Categories:
Security
OCSP Stapling in Firefox
Dana Keeler
Koen wrote on
Lincoln DeCoursey wrote on
dkeeler wrote on
sep332 wrote on
dkeeler wrote on