OCSP Server Performance in April 2013

Rank Performance Graph OS Outage
hh:mm:ss
Failed
Req%
DNS Connect First
byte
Total
1 ocsp.starfieldtech.com Linux  0:00:00  0.013  0.111 0.023 0.043 0.043
2 ocsp.trendmicro.com/tmca Citrix Netscaler  0:00:00  0.019  0.043 0.099 0.200 0.200
3 ocsp.entrust.net Linux  0:00:00  0.022  0.251 0.014 0.249 0.249
4 ocsp.godaddy.com Linux  0:00:00  0.022  0.164 0.021 0.041 0.041
5 ocsp.digicert.com Linux  0:00:00  0.022  0.027 0.026 0.051 0.051
6 ocsp.quovadisglobal.com Windows Server 2003  0:00:00  0.032  0.021 0.116 0.222 0.222
7 ocsp.verisign.com Citrix Netscaler  0:00:00  0.038  0.050 0.084 0.168 0.168
8 evsecure-ocsp.verisign.com Citrix Netscaler  0:00:00  0.041  0.239 0.085 0.168 0.168
9 ocsp.thawte.com Citrix Netscaler  0:00:00  0.044  0.041 0.083 0.165 0.165
10 ocsp.startssl.com/sub/class4/server/ca Linux  0:00:00  0.047  0.086 0.011 0.041 0.041

See full table

Starfield Technologies had the most reliable OCSP responder during April, failing to respond to only 4 of Netcraft's OCSP requests. Starfield also had the most reliable responder in March, but showed a slight improvement to its average connection times in April. Starfield was founded as the technology and research branch of Go Daddy in 2003, and Go Daddy customers can choose to have their SSL certificates issued by either Starfield or Go Daddy.

Trend Micro had the second most reliable OCSP responder, which failed to respond to only 6 requests. However, this could be one of the survey's least busy responders: Netcraft's April 2013 SSL Survey discovered only 113 valid SSL certificates issued by Trend Micro, all of which are organisation validated. 29 of these certificates are used by a single organisation, Florida Hospital.

StartCom (which operates StartSSL) once again exhibited the fastest connection times, taking only a hundredth of a second to establish a TCP connection for one of its OCSP URLs.  However, its reliability was only just good enough to make it into the top ten — in total, 15 requests to http://ocsp.startssl.com/sub/class4/server/ca failed during April.

Linux is the most popular choice of operating system on which to run an OCSP responder, and it certainly seems to perform well with regard to connection times: all of the top 25 fastest OCSP responders used Linux in April. In terms of failed requests, though, the distribution of Citrix Netscaler appliances is skewed towards the more reliable end of the spectrum — of the five responders that were using Netscaler, four of them feature in the top ten. QuoVadis's OCSP responder, which was sixth most reliable in April, is one of only two responders that ran on Windows.

On April 24, nginx 1.4.0 stable was released, incorporating several new features that had previously only been released in development branches of the web server. One of the most important performance features is that nginx now support OCSP stapling. This feature is designed to improve performance by allowing secure websites to "staple" a cached OCSP response to the TLS handshake, removing the need for the client browser to make a second, separate connection to the certificate authority's OCSP responder.

The Online Certificate Status Protocol (OCSP) is an alternative method to Certificate Revocation Lists (CRLs) for obtaining the revocation status of an individual SSL certificate. Fast and reliable OCSP responders are essential for both Certificate Authorities (CAs) and their customers — a slow OCSP response will introduce an additional delay before many browsers can start sending and receiving encrypted traffic over an HTTPS connection.