Rate this article: (3 votes, average: 2.33)
We know you’re here to learn about an online certificate status protocol (OCSP) certificate (what you may call an OCSP certificate), but first, let’s take a moment to imagine you’re a web browser (yes, we’re serious).
In this scenario, one of your users types in the URL of an SSL-enabled website. Because you’re a browser, you’re supposed to visit the website, fetch it and show it to your user. So, how would you verify that the certificate of the website is valid? How do you know whether a certificate authority (CA) hasn’t revoked the certificate?
Both of these questions are quite important since an SSL certificate acts as the identity of the website. You must check the identity, right? As an obedient browser, you’re ready to do it.
But here comes a problem.
There are so many certificate authorities around the world, and you’d have to go to an individual certificate authority’s database and then verify each certificate there. That’s difficult as we’ll have tons of different databases, and you’ll have to go to a different one each time a user wants to visit a website. What if there was a system where all approved certificate authorities report the status of certificates issued by them? Your job would become much more comfortable, right? Well, there is. It’s called online certificate status protocol.
Well, technically, there’s no such thing as an OCSP certificate. It’s just an SSL certificate. OCSP, or the online certificate status protocol (OCSP), is an internet protocol through which web browsers determine the revocation status of SSL/TLS certificates installed on websites. Although SSL/TLS certificates come with their validity period, they need to be revoked under certain situations. In these circumstances, it’s essential for browsers to know about the revocation. OCSP facilitates this by giving a “valid” or “revoked” status to the web browser. If the status is valid, the browser will deem the website valid and encrypt the data. And if the certificate has been revoked, the browser will display a warning to the user about the revocation. Simple, isn’t it?
This is what happens when a browser visits an SSL-enabled website:
OCSP was introduced as an alternative to Certificate Revocation List (CRL) to mitigate performance issues encountered in the latter. Although it did help in eliminating those issues, it gave rise to a new set of security concerns.
As we learned, an OCSP responder server includes the certificate status of millions of SSL certificates. In case the OCSP server is down for any reason, millions of users around the world won’t be able to get the revocation status of the certificates, and they’ll have to proceed with HTTPS connection. As a result, the browsers will continue with the websites that have their certificates revoked. This, needless to say, is a security concern.
Cybercriminals might take advantage of this limitation by blocking connections to OCSP responders. They can use a stolen/fake certificate to fool users into giving their sensitive data.
It’s funny that OCSP, which was supposed to be the solution to CRL’s problem, introduced its own set of challenges. And not only that, OCSP, too — just like the CRL — put a significant burden on the web browser (client) to check the status of a certificate.
Here comes OCSP Stapling.
OCSP stapling, unlike CRL and OCSP, puts the status verification burden on web servers instead of the clients. Therefore, it’s the web server that connects with the OCSP responder on a regular basis to check the status of the certificate. Here’s how it works:
Thanks to OCSP stapling, the security limitations of OCSP can be eliminated. Not only that, but it also saves load on the web browser as well as the OCSP responder, which results in faster overall performance.
The tale of OCSP is the perfect illustration of the world of internet security. OCSP, introduced to solve CRL’s problems, was found to have its own issues and had to be reinvented to make it work. OCSP stapling is an excellent solution to mitigate security concerns and provide browsers with an up-to-date status of certificates. Having said that, OCSP stapling also comes with its limitations. However, it’s the best solution that we have right now. If you have a web server, you must enable OCSP stapling on your web server.
Tip: You can typically save a significant amount by buying your SSL certificate direct instead of through your web hosting company. We sell all Comodo SSL certificates at up to 75% off.Compare SSL Certificates