{"id":1244,"date":"2013-07-29T14:16:54","date_gmt":"2013-07-29T21:16:54","guid":{"rendered":"http:\/\/blog.mozilla.org\/security\/?p=1244"},"modified":"2016-09-30T02:52:47","modified_gmt":"2016-09-30T09:52:47","slug":"ocsp-stapling-in-firefox","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2013\/07\/29\/ocsp-stapling-in-firefox\/","title":{"rendered":"OCSP Stapling in Firefox"},"content":{"rendered":"<p>OCSP Stapling has landed in the latest <a href=\"https:\/\/nightly.mozilla.org\/\">Nightly builds of Firefox<\/a>! OCSP stapling is a mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner.<br \/>\nRevocation information is important because at any time after a certificate has been issued, it may no longer be appropriate to trust it. For instance, maybe the CA that issued the certificate realizes it put incorrect information on it. Maybe the website operators lose control of their private key, or it gets stolen. More benignly, maybe the domain was transferred to a new owner.<br \/>\nThe Online Certificate Status Protocol (OCSP) is one method for obtaining certificate revocation information. When presented with a certificate, the browser asks the issuing CA if there are any problems with it. If the certificate is fine, the CA can respond with a signed assertion that the certificate is still valid. If it has been revoked, however, the CA can say so by the same mechanism.<br \/>\n<a href=\"\/\/blog.mozilla.org\/security\/files\/2013\/08\/p4.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-1355\" src=\"\/\/blog.mozilla.org\/security\/files\/2013\/08\/p4.png\" alt=\"OCSP prevents an attack\" width=\"786\" height=\"610\" srcset=\"https:\/\/blog.mozilla.org\/security\/files\/2013\/08\/p4.png 786w, https:\/\/blog.mozilla.org\/security\/files\/2013\/08\/p4-252x195.png 252w, https:\/\/blog.mozilla.org\/security\/files\/2013\/08\/p4-600x465.png 600w\" sizes=\"(max-width: 786px) 100vw, 786px\" \/><\/a><br \/>\nOCSP has a few drawbacks. First, it slows down new HTTPS connections. When the browser encounters a new certificate, it has to make an additional request to a server operated by the CA. Second, it leaks to the CA what HTTPS sites the user visits, which is concerning from a privacy perspective. Additionally, if the browser cannot connect to the CA, it must choose between two undesirable options. It can terminate the connection on the assumption that something is wrong, which decreases usability. Or, it can continue the connection, which defeats the purpose of doing this kind of revocation checking. By default, Firefox currently continues the connection. The about:config option security.OCSP.require can be set to true to have Firefox terminate the connection instead.<br \/>\nOCSP stapling solves these problems by having the site itself periodically ask the CA for a signed assertion of status and sending that statement in the handshake at the beginning of new HTTPS connections. The browser takes that signed, stapled response, verifies it, and uses it to determine if the site&#8217;s certificate is still trustworthy. If not, it knows that something is wrong and it must terminate the connection. Otherwise, the certificate is fine and the user can connect to the site.<br \/>\n<a href=\"\/\/blog.mozilla.org\/security\/files\/2013\/08\/p5.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-1356\" src=\"\/\/blog.mozilla.org\/security\/files\/2013\/08\/p5.png\" alt=\"site asks CA for certificate status\" width=\"588\" height=\"297\" srcset=\"https:\/\/blog.mozilla.org\/security\/files\/2013\/08\/p5.png 588w, https:\/\/blog.mozilla.org\/security\/files\/2013\/08\/p5-252x127.png 252w\" sizes=\"(max-width: 588px) 100vw, 588px\" \/><\/a><br \/>\n<a href=\"\/\/blog.mozilla.org\/security\/files\/2013\/08\/p6.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-1357\" src=\"\/\/blog.mozilla.org\/security\/files\/2013\/08\/p6.png\" alt=\"OCSP stapling\" width=\"699\" height=\"451\" srcset=\"https:\/\/blog.mozilla.org\/security\/files\/2013\/08\/p6.png 699w, https:\/\/blog.mozilla.org\/security\/files\/2013\/08\/p6-252x162.png 252w, https:\/\/blog.mozilla.org\/security\/files\/2013\/08\/p6-600x387.png 600w\" sizes=\"(max-width: 699px) 100vw, 699px\" \/><\/a><br \/>\nIf Firefox requests but does not receive a stapled response, it falls back to normal OCSP fetching. This means that while OCSP stapling protects against mistakes and many basic attacks, it does not prevent attacks involving more complete network control. For instance, if an attacker with a stolen certificate were able to block connections to the CA OCSP responder while running their own server that doesn&#8217;t do OCSP stapling, the user would not be alerted that the certificate had been revoked. A new proposal currently referred to as &#8220;OCSP-must-staple&#8221; is intended to handle this case by giving sites a way of saying &#8220;any connection to this site must include a stapled OCSP response&#8221;. This is still in development.<br \/>\nOCSP stapling works with all CAs that support OCSP. OCSP stapling has been implemented in popular web servers including <a title=\"OCSP stapling in nginx\" href=\"http:\/\/nginx.org\/en\/docs\/http\/ngx_http_ssl_module.html#ssl_stapling\">nginx<\/a> and <a title=\"OCSP stapling in Apache\" href=\"https:\/\/httpd.apache.org\/docs\/current\/mod\/mod_ssl.html#sslusestapling\">Apache<\/a>. If you run a website, consider turning on OCSP stapling to protect your users. If you use Firefox Nightly, enjoy the increased security, privacy, and performance benefits!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>OCSP Stapling has landed in the latest Nightly builds of Firefox! OCSP stapling is a mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2013\/07\/29\/ocsp-stapling-in-firefox\/\">Read more<\/a><\/p>\n","protected":false},"author":525,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69],"tags":[45499],"coauthors":[45543],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>OCSP Stapling in Firefox - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2013\/07\/29\/ocsp-stapling-in-firefox\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Dana Keeler\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2013\/07\/29\/ocsp-stapling-in-firefox\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2013\/07\/29\/ocsp-stapling-in-firefox\/\",\"name\":\"OCSP Stapling in Firefox - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2013-07-29T21:16:54+00:00\",\"dateModified\":\"2016-09-30T09:52:47+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/ceb71f5b00305c4b5fd2028deb101736\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2013\/07\/29\/ocsp-stapling-in-firefox\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2013\/07\/29\/ocsp-stapling-in-firefox\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2013\/07\/29\/ocsp-stapling-in-firefox\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"OCSP Stapling in Firefox\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/ceb71f5b00305c4b5fd2028deb101736\",\"name\":\"Dana Keeler\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/8a8a12f35e73f4f9942eb18d86c4828b\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/72636a193847f1a9c45521d07eb0dc6e?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/72636a193847f1a9c45521d07eb0dc6e?s=96&d=identicon&r=g\",\"caption\":\"Dana Keeler\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"OCSP Stapling in Firefox - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2013\/07\/29\/ocsp-stapling-in-firefox\/","twitter_misc":{"Written by":"Dana Keeler","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2013\/07\/29\/ocsp-stapling-in-firefox\/","url":"https:\/\/blog.mozilla.org\/security\/2013\/07\/29\/ocsp-stapling-in-firefox\/","name":"OCSP Stapling in Firefox - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2013-07-29T21:16:54+00:00","dateModified":"2016-09-30T09:52:47+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/ceb71f5b00305c4b5fd2028deb101736"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2013\/07\/29\/ocsp-stapling-in-firefox\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2013\/07\/29\/ocsp-stapling-in-firefox\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2013\/07\/29\/ocsp-stapling-in-firefox\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"OCSP Stapling in Firefox"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/ceb71f5b00305c4b5fd2028deb101736","name":"Dana Keeler","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/8a8a12f35e73f4f9942eb18d86c4828b","url":"https:\/\/secure.gravatar.com\/avatar\/72636a193847f1a9c45521d07eb0dc6e?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/72636a193847f1a9c45521d07eb0dc6e?s=96&d=identicon&r=g","caption":"Dana Keeler"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/1244"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/525"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=1244"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/1244\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=1244"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=1244"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=1244"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=1244"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}