OCSP Server Performance in April 2013

Rank Performance Graph OS Outage
DNS Connect First
1 ocsp.starfieldtech.com Linux  0:00:00  0.013  0.111 0.023 0.043 0.043
2 ocsp.trendmicro.com/tmca Citrix Netscaler  0:00:00  0.019  0.043 0.099 0.200 0.200
3 ocsp.entrust.net Linux  0:00:00  0.022  0.251 0.014 0.249 0.249
4 ocsp.godaddy.com Linux  0:00:00  0.022  0.164 0.021 0.041 0.041
5 ocsp.digicert.com Linux  0:00:00  0.022  0.027 0.026 0.051 0.051
6 ocsp.quovadisglobal.com Windows Server 2003  0:00:00  0.032  0.021 0.116 0.222 0.222
7 ocsp.verisign.com Citrix Netscaler  0:00:00  0.038  0.050 0.084 0.168 0.168
8 evsecure-ocsp.verisign.com Citrix Netscaler  0:00:00  0.041  0.239 0.085 0.168 0.168
9 ocsp.thawte.com Citrix Netscaler  0:00:00  0.044  0.041 0.083 0.165 0.165
10 ocsp.startssl.com/sub/class4/server/ca Linux  0:00:00  0.047  0.086 0.011 0.041 0.041

See full table

Starfield Technologies had the most reliable OCSP responder during April, failing to respond to only 4 of Netcraft's OCSP requests. Starfield also had the most reliable responder in March, but showed a slight improvement to its average connection times in April. Starfield was founded as the technology and research branch of Go Daddy in 2003, and Go Daddy customers can choose to have their SSL certificates issued by either Starfield or Go Daddy.

Trend Micro had the second most reliable OCSP responder, which failed to respond to only 6 requests. However, this could be one of the survey's least busy responders: Netcraft's April 2013 SSL Survey discovered only 113 valid SSL certificates issued by Trend Micro, all of which are organisation validated. 29 of these certificates are used by a single organisation, Florida Hospital.

StartCom (which operates StartSSL) once again exhibited the fastest connection times, taking only a hundredth of a second to establish a TCP connection for one of its OCSP URLs.  However, its reliability was only just good enough to make it into the top ten — in total, 15 requests to http://ocsp.startssl.com/sub/class4/server/ca failed during April.

Linux is the most popular choice of operating system on which to run an OCSP responder, and it certainly seems to perform well with regard to connection times: all of the top 25 fastest OCSP responders used Linux in April. In terms of failed requests, though, the distribution of Citrix Netscaler appliances is skewed towards the more reliable end of the spectrum — of the five responders that were using Netscaler, four of them feature in the top ten. QuoVadis's OCSP responder, which was sixth most reliable in April, is one of only two responders that ran on Windows.

On April 24, nginx 1.4.0 stable was released, incorporating several new features that had previously only been released in development branches of the web server. One of the most important performance features is that nginx now support OCSP stapling. This feature is designed to improve performance by allowing secure websites to "staple" a cached OCSP response to the TLS handshake, removing the need for the client browser to make a second, separate connection to the certificate authority's OCSP responder.

The Online Certificate Status Protocol (OCSP) is an alternative method to Certificate Revocation Lists (CRLs) for obtaining the revocation status of an individual SSL certificate. Fast and reliable OCSP responders are essential for both Certificate Authorities (CAs) and their customers — a slow OCSP response will introduce an additional delay before many browsers can start sending and receiving encrypted traffic over an HTTPS connection.

Would you knowingly trust an irrevocable SSL certificate?

Despite the inconsistent treatment of certificate revocation by browsers, providing reliable revocation information is an integral part of operating a trustworthy certificate authority (CA) and a well-accepted requirement of Mozilla's CA root program. However, there are presently thousands of certificates in use which are irrevocable in some major browsers, and hundreds in those browsers which do everything right.

Without the ability to revoke a certificate, a CA has no control over whether a certificate is accepted by browsers or relied upon for secure communication after its issuance and before its expiry. A compromised private key and certificate in the hands of an attacker could be devastating: he would be able to use the private key to decrypt some intercepted SSL-secured traffic and the certificate to impersonate the targeted site. Even if the CA becomes aware of the problem, they can do nothing about it directly without having to rely on the browser vendor's support. CAs use two main technologies for browsers to check whether a particular certificate has been revoked: using the Online Certificate Status Protocol (OCSP) or looking up the certificate in a Certificate Revocation List (CRL). OCSP provides revocation information about an individual certificate from an issuing CA, whereas CRLs provide a list of revoked certificates and may be received by clients less frequently.

Assessing browser support for the two forms of revocation is complicated by Google Chrome's varying behaviour, depending on the platform, browser settings, and its use of pre-aggregated crlsets which contain revocation information for a limited selection of certificate authorities. Firefox does not automatically download CRLs for non-EV certificates so, by default, must rely on OCSP alone. Both Internet Explorer and Opera are more secure in this context: they support OCSP and CRLs and make suitable checks for all types of certificate. Safari does not make revocation checks at all by default for non-EV certificates and the mobile version does not provide the option to do so. For most Safari users, whether or not a certificate is irrevocable is immaterial — Safari does not check for revocation by default.

Excerpt from Netcraft's site report for https://www.bancagenerali.it showing the lack of any revocation method available.

Netcraft has found hundreds of certificates trusted by major browsers which are effectively irrevocable; that is they do not contain valid entries in the crlDistributionPoints X509 extension or OCSP URLs in the AuthorityInformationAccess extension. There may be appropriate CRLs or OCSP responders available, but there is no standard automated means to discover them. Without these two extensions, there is some chance a browser will use a cached CRL (downloaded after visiting another site using the same intermediate certificate) and have access to revocation information not otherwise available. It is easy, however, to envision many scenarios where this fortunate event hasn't occurred before a person visits a site with a revoked certificate.

The CA/B forum — an organisation of both CAs and browsers — publishes a set of Baseline Requirements (BR), which allow a CA to rely on OCSP stapling for "high-traffic" FQDNs and omit OCSP URLs from the certificate. However, currently there is not a widely supported method for enforcing the use of OCSP stapling. The draft TLS Security Policy extension can contain a must-staple directive, which, if present, will indicate to clients to reject any connection without a stapled OCSP response.

In Netcraft's May 2013 SSL survey, more than 300,000 certificates did not contain an OCSP responder URL and are thus irrevocable in Firefox (except for a handful of hard-coded OCSP responder URLs); of these, almost 9,000 were issued this year. Around 800 did not contain URLs for either revocation method, making them effectively irrevocable.

The table below shows some example certificates which are missing some or all of the URLs pointing to revocation methods.

Example certificateSite rankCertificate AuthorityOCSP serversCertificate Revocation ListsOCSP Stapling enabledSelf-declared BR compliance according to responses to Mozilla
fsgateway.aexp.comAmerican Express (Verizon Business)NoNoNoNot yet compliant
www.bancagenerali.it28,225I.T. Telecom (Verizon Business)NoNoNoNot yet compliant
accounts.google.com7Google Internet Authority (Symantec)NoYesNoCompliant
login.skype.com1,804Microsoft (Verizon Business)NoYesNoNot yet compliant
www.faa.gov498,030Verizon BusinessNoYesNoNot yet compliant
*.mygrants.gov.myAlphaSSL (GlobalSign)NoYesNoPartially compliant

There are a number of certificate authorities which have issued such certificates, including the following:

  • An American Express certificate, issued by their own certificate authority, does not contain URLs for either revocation method nor does it staple an OCSP response, making it totally irrevocable. American Express's certificate authority eventually chains up to GTE CyberTrust (now Verizon Business). This certificate was issued before the effective date of the CA/B forum's Baseline Requirements.
  • Google Internet Authority, a subordinate CA of Equifax (now Symantec), does not include OCSP responder URLs in any of its certificates making the certificates effectively irrevocable in Firefox except by action by the browser vendor. Even if Google were to use OCSP stapling (which it does not appear to do — at least on some popular sites) people using Firefox would be no better off as support by default is still in the pipeline. The lack of OCSP URLs may be a conscious decision by Google to reduce the performance penalty of using SSL. The risk posed by not performing this check is not theoretical as one of Google's CRLs contains 7 serial numbers for certificates which were revoked for 'Key Compromise', an event which can't be dealt with directly by Google for users of Firefox.
  • A number of other certificate authorities have issued certificates without OCSP responder URLs this year, including Symantec, Verizon Business, GlobalSign, Microsoft, and KEYNECTIS. The original Baseline Requirements document — effective from 1 July 2012 — stated that there MUST be at least one OCSP URL in the AuthorityInformationAccess extension.
  • Several recently-issued irrevocable certificates violate other Baseline Requirements. For example many certificates also have RSA keys shorter than 2048-bits expiring beyond the end of this year — the CA will not be able to revoke them effectively on 1st January 2014 as is required. I.T. Telecom (which is a subordinate CA of Verizon Business) and FMNT (the Spanish Royal Mint) are the worst offenders, having issued totally irrevocable certificates with short public keys. Some major CAs have also signed certificates with short public keys and only CRL revocation available including Symantec and Verizon Business.

None of the example certificates mentioned above responded with a valid OCSP response stapled, so the limited exception allowed in the Baseline Requirements for high-traffic FQDNs isn't applicable.

Whilst the majority of certificates issued by major CAs are revocable in line with the Baseline Requirements, browser vendors could consider enforcing the most security-critical requirements in the browser itself, raising the bar for all certificate authorities. Browser vendors are somewhat limited in the available methods to sanction or remove their trust in widely used CAs: straightforward revocation of intermediates or root certificates runs the risk of disabling a large proportion of secure websites leading users to question not the CAs, but the browser software and the web site they are visiting.

23/05/2013: Edited to correct attribution of Microsoft's CA to Verizon Business.

How certificate revocation (doesn’t) work in practice

Certificate revocation is intended to convey a complete withdrawal of trust in an SSL certificate and thereby protect the people using a site against fraud, eavesdropping, and theft. However, some contemporary browsers handle certificate revocation so carelessly that the most frequent users of a site and even its administrators can continue using an revoked certificate for weeks or months without knowing anything is amiss. Recently, this situation was clearly illustrated when a busy e-commerce site was still using an intermediate certificate more than a week after its revocation.

SSL Certificates are used to secure communication between browsers and websites by providing a key with which to encrypt the traffic and by providing third-party verification of the identity of the certificate owner. There are varying levels of verification a third-party Certificate Authority (CA) may carry out, ranging from just confirming control of the domain name (Domain Validation [DV]) to more extensive identity checks (Extended Validation [EV]).

However, an SSL certificate — or any of the certificates which form a chain from the server's certificate to a trusted root installed in the browser or operating system — may need to be revoked. A certificate should be revoked when it has had its private key compromised; the owner of the certificate no longer controls the domain for which it was issued; or the certificate was mistakenly signed. An attacker with access to an un-revoked certificate who also has access to the certificate's private key can perform a man-in-the-middle (MITM) attack by presenting the certificate to unsuspecting users whose browsers will behave as if they were connecting to a legitimate site.

There are two main technologies for browsers to check the revocation status of a particular certificate: using the Online Certificate Status Protocol (OCSP) or looking up the certificate in a Certificate Revocation List (CRL). OCSP provides revocation information about an individual certificate from an issuing CA, whereas CRLs provide a list of revoked certificates and may be received by clients less frequently. Browser support for the two forms of revocation varies from no checking at all to the use of both methods where necessary.

On 30th April 2013 an intermediate certificate issued to Network Associates — which forms part of the chain from an individual certificate back to a trusted root — was revoked by RSA. The intermediate certificate was used to sign multiple McAfee SSL certificates including one for a busy e-commerce website, www.mcafeestore.com. Its revocation should have prevented access to all of the websites using the intermediate including the online store. However, more than a week later nobody had noticed: no tweets or news articles appeared and the certificate was still in place.

The certificate chain for mcafeestore.com, before it was replaced. The highlighted certificate, NAI SSL CA v1, was revoked on 30th April 2013

The intermediate certificate was revoked by RSA by adding its serial number, 54:99:05:bd:ca:2a:ad:e3:82:21:95:d6:aa:ee:b6:5a, to the corresponding CRL. None of the certificates in the chain provide a URL for OCSP, so using the CRL is the only option available. After the CRL was published, browsers should display an error message and prevent access to the website. The reality is somewhat different, however.

Business as usual in Firefox

Firefox does not download CRLs for websites which use the most popular types of SSL certificate (all types of certificate except EV which is usually displayed with a green bar). Without downloading the CRL, Firefox is happy to carry on as usual; letting people visit the website and transfer sensitive personal information relying on a certificate that is no longer valid. In any case even if OCSP were available, by default Firefox will only check the validity of the server's certificate and not attempt to check the entire chain of certificates (again, except for EV certificates).

No warnings for mobile users either on Android or iOS

Mobile browsing now makes up a significant proportion of internet use. Neither Google Chrome on Android nor Safari on iOS present a warning to the user even after being reset. Safari on iOS does not make revocation checks at all except for Extended Validation certificates and did not make requests for the CRL which would have triggered the revocation error message.

Google Chrome: [left to right] default settings, revocation checks enabled on Windows, and revocation checks enabled on Linux

Google Chrome, by default, does not make standard revocation checks for non-EV certificates. Google does aggregate a limited number of CRLs and distributes this via its update mechanism but, at least currently, it does not list the certificate in question or indeed any of the other certificates revoked in the same CRL. For the majority of Chrome users with the default settings, as with Firefox, nothing will appear to be amiss.

For the security conscious, Google Chrome does have the option to enable proper revocation checks, but in this case the end result depends on the platform. On Windows, Google Chrome can make use of Microsoft's CryptoAPI to fetch the CRL and it correctly prevents access to the site. However, RSA's CRL is not delivered in the conventional way: instead of providing the CRL in a binary format, it is encoded into a text-based format which is not the accepted standard. Mozilla's NSS — which is used by Firefox on all platforms and by Google Chrome on Linux — does not support the format. On Linux, Google Chrome does make a request for the CRL but cannot process the response and instead carries on as normal.

Warning to potential customers when visiting the store at https://www.mcafeestore.com

Microsoft's web browser, Internet Explorer is one of the most secure browsers in this context. It fetches revocation information (with a preference for OCSP, but will fallback to CRLs) for the server's certificate and the rest of the certificate chain and, as a consequence of the revocation check, it prevents the user from making their purchase on www.mcafeestore.com.

Opera preventing access to the website

Along with Internet Explorer, Opera is secure by default: it prevents access to the webpage. Opera checks the entirety of the certificate chain using either OCSP or CRLs where appropriate.

However, even with the most secure browser, the most frequent users of a secure website may be able to continue using a website for weeks or months despite one of the certificates in the chain of trust having been revoked. The CRL used in this case can be cached for up to 6 months, leaving frequent users, who will have a cached copy of the CRL, in the dark about the revocation. Going by previous copies of the CRL, the CRL may have last been generated in January 2013 and valid until July 2013. If that is the case and you have visited any website using the same intermediate certificate your browser will not display any warnings and will behave as if the certificate has not been revoked. However, you need not have visited mcafeestore.com before to have a cached CRL; there were 14 other websites with the same intermediate certificate in Netcraft's latest SSL survey.

As long as six months sounds to miss out on important revocation information, browser vendors in control of the list of trusted CAs allow CRLs to have 12-month validity periods when destined for intermediate certificates. CRLs covering individual, or subscriber, certificates are required to be valid for at most 10 days. By its very nature access to the private key corresponding to an intermediate certificate is more useful to an attacker: he can use the private key to sign a certificate for any website he so chooses rather than having access to just a single site. Browsers do have the ability to distrust certificates if they become aware of the compromise, but they may depend on slow update mechanisms to update the trusted set of certificates.

Whilst it may be expensive for an online store to be using a certificate that should not be valid, the consequences for governmental or banking websites could be more severe. If the certificate, or one of the certificates in the chain, were revoked due to a key compromise and there is an active attacker exploiting the lack of revocation checking in modern browsers, the public could be at risk for an extended period of time. The state of revocation amongst modern browsers is sufficiently fragmented to ensure that the entire concept of revocation is on shaky ground — without consistent behaviour and timely updates, if or when the certificate is finally blocked it is too late.

Netcraft waited until the certificate was replaced before publishing this article.

Live chat used in phishing attack

Early last week, Netcraft blocked a website purporting to offer online support for eBay customers. The website made use of a third-party live chat service provided by Volusion, an e-commerce outfit which also provides both free and premium hosted live chat services. By running a live chat service and asking the right questions, a fraudster could coax an unsuspecting victim into revealing sensitive information in addition to their eBay login credentials.

The agent providing "support" claimed that the chat was accessed by clicking a live chat button in eBay's order confirmation email. When Netcraft attempted to question the legitimacy of the live chat, the agent immediately disconnected. eBay's official live chat service is available to eBay members through a secure page on an ebay.com subdomain and is linked to from the eBay website.

An example fraudulent live chat impersonating eBay (left) and the legitimate version (right); both have valid SSL certificates

An example fraudulent live chat impersonating eBay (left) and the legitimate version (right); both have valid SSL certificates

Later, the site showed a place-holder company logo and the eBay branding had disappeared.

This attack is interesting as several well-known companies outsource their live chat support, including Sky, a British broadcaster and ISP (LivePerson), Western Union (Oracle), and Rackspace (BoldChat). This, combined with a valid SSL certificate, could be convincing enough to deceive people accustomed to seeing third-party domain names for live chat applications. In addition, free or trial deployments can be obtained for these third-party services quickly — some without identification or credit cards — allowing a social engineer to carry out this attack easily and anonymously.

Live chat social engineering is not a novel technique for fraudsters: last December, a replacement Kindle was falsely ordered via the official Amazon live chat by a fraudster with only limited knowledge of the victim. A similar scam was seen in February this year. A forum dedicated to social engineering has a thread allegedly making offers to buy Amazon order numbers, which could be used in future attacks.

Netcraft advises people to never reveal sensitive information such as passwords or PINs in live chats, even if asked. A legitimate company will not require this information. If in doubt, challenge them to verify who they say they are. Only access live chats from companies' own sites: do not access them from third-party websites or emails.

You can protect yourself against the latest phishing attacks by installing Netcraft's Anti-Phishing Extension and help protect the internet community by reporting potential phishing sites to Netcraft by email to scam@netcraft.com or at http://toolbar.netcraft.com/report_url. Netcraft can also help protect both brand owners and hosting companies.

OCSP Server Performance in March 2013

Rank Company site OS Outage
DNS Connect First
1 ocsp.starfieldtech.com Linux 0:00:00 0.003 0.076 0.024 0.043 0.043
2 ocsp.verisign.com Citrix Netscaler 0:00:00 0.006 0.051 0.081 0.162 0.162
3 ocsp.thawte.com Citrix Netscaler 0:00:00 0.006 0.041 0.083 0.164 0.164
4 ocsp.godaddy.com Linux 0:00:00 0.015 0.161 0.025 0.044 0.044
5 ocsp.startssl.com/sub/class4/server/ca Linux 0:00:00 0.018 0.068 0.011 0.056 0.056
6 evsecure-ocsp.verisign.com Citrix Netscaler 0:00:00 0.018 0.228 0.082 0.163 0.163
7 ocsp.trendmicro.com/tmca Citrix Netscaler 0:00:00 0.018 0.050 0.099 0.200 0.201
8 evintl-ocsp.verisign.com Citrix Netscaler 0:00:00 0.024 0.261 0.082 0.162 0.162
9 ocsp.startssl.com/sub/class2/server/ca Linux 0:00:00 0.027 0.049 0.011 0.057 0.057
10 ocsp.xi.tcclass2-ii.trustcenter.de Linux 0:00:00 0.027 0.199 0.090 0.197 0.197

See full table

The Online Certificate Status Protocol (OCSP) is an alternative method to Certificate Revocation Lists (CRLs) for obtaining the revocation status of an individual SSL certificate. Fast and reliable OCSP responders are essential for both Certificate Authorities (CAs) and their customers — a slow OCSP response will introduce an additional delay before many browsers can start sending and receiving encrypted traffic over an HTTPS connection.

Starfield Technologies, a Go Daddy brand, had the most reliable OCSP responder last month with only a single failed request and an average connection time of 24ms. Starfield Technologies was founded in 2003 as the technology research branch of Go Daddy. Go Daddy customers have the option to choose which issuing organization to use when buying an SSL certificate. Although both Go Daddy and Starfield appear to share the same OCSP responder infrastructure, ocsp.godaddy.com had five failed requests, however this was still fewer than StartCom, Symantec, and Trend Micro. Both Go Daddy and Starfield issue certificates in all three certificate assurance categories: Domain Validation (DV), Organisation Validation (OV), and Extended Validation (EV). Starfield is most prominent in the EV sector — more than 15% of all EV certificates issued within the group are issued by Starfield — but it remains only a small part of Go Daddy's SSL certificate business: Starfield accounts for just 10% of certificates issued.

StartCom had the shortest average connect time (11ms) of all monitored CAs last month after having moved its OCSP infrastructure at the end of February. StartCom, as well as Entrust, now delivers its OCSP responses via the Akamai CDN (Content Delivery Network), reducing the OCSP connection overhead to a minimum by serving content from as topologically close as possible to the client. GlobalSign is a CloudFlare evangelist, using CloudFlare's CDN platform for its OCSP and CRL infrastructure as well as their own corporate website.

Many of the monitored OCSP responders are served by Citrix Netscaler devices. Citrix Netscaler is a hardware appliance that provides, amongst other features, load balancing and firewall functions. The use of such load balancing technology is no surprise — a single certificate on a popular site that does not use OCSP stapling could generate a significant number of OCSP requests, causing a CA's responder to experience high volumes of traffic.

In many circumstances each connection to an HTTPS site could trigger multiple OCSP requests: a request for the server's certificate and one for each intermediate certificate. OCSP responses are typically valid for a week, so some caching is possible. Caching can reduce both the burden on OCSP responders and increase the perceived performance of HTTPS websites to users, but is limited to repeat visits. OCSP Stapling is designed to improve performance by allowing the web site's server to “staple” the OCSP response to the TLS handshake, removing the need for the client to connect to the CA's OCSP responder.

Netcraft measures and makes available the OCSP and CRL end point response times of all the major Certificate Authorities (CAs). The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

UGG blog used to fleece HSBC customers

Hot on the heels of recent WordPress attacks, Netcraft has found a phishing attack which uses a script hosted on the official UGG blog at blog.uggaustralia.com. UGG — famous for its sheepskin boots — hosts its WordPress blog with Media Temple but its blog also contains a malicious PHP script which fleeces HSBC customers out of their bank account details. It is difficult to tell whether this attack is connected with the recent increase in brute-force password guessing attacks on WordPress or whether the location of the malicious script is unconnected.

The attack uses a phishing email with an attached HTML document designed to look like a genuine HSBC website. The HTML attachment contains a form which asks the victim for his date of birth, security number, account number, sort code and full name. The entered details are submitted to the server hosting the UGG blog, where the details are harvested by a PHP script hidden in the blog's stylesheet directory; the victim is then redirected to the real HSBC website as if nothing untoward were afoot.

The phishing form is submitted to the script hidden on UGG's blog.

WordPress is by far the most popular blogging platform and content management system on the internet: Netcraft's April 2013 Publishing Applications survey found more than 25 million WordPress sites. Given its popularity, it is not surprising that is often targeted by fraudsters. The predictable location of the administrative interface and the widespread use of the default "admin" username lends itself to simple brute-force password guessing attacks as have been reported recently.