Learn what OCSP is, how it works, & about certificate authorities and certificate revocation.
Global Threat Landscape Report 2H 2023 Speak with an Expert
Definition
How OCSP Works
What is OCSP?
The Online Certificate Status Protocol (OCSP) is an alternative to the certificate revocation list (CRL) and is used to check whether a digital certificate is valid or if it has been revoked.
The OCSP is an Internet Protocol (IP) that certificate authorities (CAs) use to determine the status of secure sockets layer/transport layer security (SSL/TLS) certificates, which are common applications of X.509 digital certificates. This helps web browsers check the status and validity of Hypertext Transfer Protocol Secure (HTTPS) websites.
What is a Certificate Authority?
CAs are central to issuing and managing digital certificates, ensuring secure communications, and verifying user identities. They do this through the public key infrastructure (PKI) X.509 certificate, which contains information like the owner’s name and public key, the name of the issuing CA, the certificate’s validity date, and what it can be used for.
CAs provide a digital signature to prevent this information from being modified, then use a private key to verify a digital certificate. Anyone who has that public key can use it to generate a signature on the certificate signing request (CSR).
Learn more about digital rights management.
Why Is Certificate Revocation Important?
Digital certificates are vital to guaranteeing trust on the internet, like a digital identification card for websites. A web browser requires any HTTPS website to provide a certificate that validates its hostname and a private key. Take note that if an attacker is able to obtain access to a private key, they can impersonate the website.
So certificate revocation is crucial to mitigating vulnerabilities and potential key compromise. The website's owner can revoke a certificate by informing the issuer that the certificate should not be trusted. A good example of this is Cloudflare revoking all managed certificates when the Heartbleed vulnerability was found capable of stealing private keys.
How Does OCSP Work?
When a certificate validity request is made, an OCSP request is submitted to an OCSP responder, which is a server operated by the issuing CA. The OCSP responder checks the request’s validity with a trusted CA, which advises whether the certificate is valid or not, with a response of current, revoked, or unknown. Most popular, widely used web browsers support OCSP, including Apple Safari, Internet Explorer, Microsoft Edge, and Mozilla Firefox.
OCSP and CRL
Web browsers use several methods to check if a site’s certificate has been revoked. OCSP and CRL are two of the most common. A CRL is a list containing serial numbers of all certificates that have been revoked by a CA. However, CRLs can present issues, as they can become outdated and have to be downloaded.
OCSP security is a protocol used to discover the revocation status of a certificate and contains signatures that assert a certificate has not been revoked. This makes it a more effective and efficient validation process, as it does not require a list to be downloaded to discover the status of a certificate.
OCSP Stapling
OCSP checking does cause problems of its own, including increasing costs for CAs and concerns around privacy. For example, live OCSP checking can leak private browsing data, as requests are sent on unencrypted Hypertext Transfer Protocol (HTTP) traffic and tied to specific certificates. Therefore, sending a request tells a CA which websites a user visits, and anyone on the network path between their browser and the OCSP will see the sites they visit. It can also create browser performance issues, such as slow browsing experiences caused by third parties confirming the validity of a certificate.
Some of these issues can be addressed through OCSP stapling, a technique that delivers revocation information to browsers. The certificate stapling process involves a current OCSP response being stapled into the HTTPS connection. This requires less traffic between the server and the browser, which then no longer has to request the OCSP itself.
Please fill out the form and a knowledgeable representative will get in touch with you soon.