Microsoft Achieves World Domination (in OCSP Stapling)
19th July, 2013
Certificate revocation checking is an essential part of any connection to an SSL site; without it, an attacker can impersonate an SSL site with a compromised certificate until it expires of its own accord — an event which may be 5 years away — even if the issuer of the certificate (the certificate authority, or CA) is made aware of the breach. One of the methods used to check the revocation status, OCSP, requires the browser to make a per-certificate request to the issuing CA as part of the initial connection to an SSL site.
This separate OCSP request can increase the time taken for the browser to connect to an SSL site and imposes a traffic burden on the CA. OCSP stapling is advantageous because it removes the need for a separate request to the CA by bundling the OCSP response with the existing SSL connection.
The proportion of certificates in the July 2013 Netcraft SSL survey served over an SSL connection with a stapled OCSP response.
In the latest Netcraft SSL Survey, more than 22% of certificates were served with a stapled OCSP response. Of those SSL certificates seen with a stapled OCSP response, almost all (96%) were served from computers running Microsoft Windows. OCSP stapling has been enabled by default in IIS since Windows 2008, significantly before its competitors — Apache added support in version 2.4 in February 2012 and nginx added support in version 1.4.0 in April 2013.
|Windows Server 2008||94.54%|
|Windows Server 2012||1.76%|
The certificates in the July 2013 Netcraft SSL survey served over an SSL connection with a stapled OCSP response, split by operating system.
More than 99% of the stapled OCSP responses corresponded to a 'good' status, but somewhat surprisingly, there were around 900 responses which corresponded to a revoked status. These include a certificate on a Maybank website (the largest financial institution in Malaysia) and a certificate on the mobile version of marines.com, an official US Marine Corps recruitment website. m.marines.com appears to be load balanced across at least two machines, one of which staples a revoked response, the other uses a different non-revoked certificate.
m.marines.com in Google Chrome (on Windows) and Safari on iOS6.
Browser support for OCSP stapling is patchy and varies with the operating system. As well as on the server-side with IIS, Microsoft's client-side support for OCSP stapling is good: Internet Explorer supports stapling, as does every other browser tested on Windows except Firefox. Firefox does particularly poorly on all platforms, with no support at all for OCSP stapling in the current release, though support is on its way. Google Chrome uses a patched version of NSS (the same library as Firefox) on Linux which does include stapling support. The upgrade from Opera 12 to Opera 15 on Mac OS X removes support for OCSP stapling, perhaps as a side-effect of the move to WebKit (blink), leaving Mac OS X without support for OCSP stapling when using the latest release of any common browser.
Where OCSP stapling may help the most — on mobile networks where latency may be high — there is no support, at least in conventional browsers which make direct requests. Opera Mini, which uses a proxy to compress responses, does make SSL requests which include a request for an OCSP stapled response, but security conscious users may be reticent to trust their SSL encrypted data to Opera (which proxies SSL connections through its servers) in exchange for OCSP stapling.
|Browser/OS||Windows||Linux||Mac OS X||iOS||Android|
|Google Chrome 28||Yes||Yes||No||No||No|
|Internet Explorer 10||Yes||N/A||N/A||N/A||N/A|
CloudFlare is a vocal supporter of OCSP stapling and claims that stapling can improve the time taken to start an SSL connection by up to 30%. CloudFlare’s implementation of OCSP, though, does not consistently provide a stapled OCSP response. Netcraft took 50 random CloudFlare IP addresses seen in the SSL survey and made 50 sequential requests with OCSP stapling enabled after an initial priming request which was discarded.
The number of CloudFlare IP Addresses responding with OCSP stapled grouped by the request number. 50 IP addresses were connected to with openssl s_client -status, the initial request was discarded and then after a 5 second pause, 50 sequential requests were made.
Fewer than 50% of the CloudFlare IP addresses responded with an OCSP response stapled on the first non-discarded connection attempt. Even after 20 requests, the response rate is not consistent, some IP addresses still fail to staple an OCSP response on each and every SSL connection. This inconsistent behaviour may be down to a number of separate machines responding to the same IP address either in different locations, or behind a load balancer.
OCSP stapling, at least in its current form, does not exempt most browsers from all OCSP requests; even if the OCSP response for the certificate of the SSL site itself is stapled, the OCSP responses from the intermediates certificates — the chain of certificates which link the site’s certificate to a trusted certificate embedded in the browser — are not included. Yngve Pettersen, formerly of Opera, has recently authored RFC 6961 defining a standard which is intended to combat some of the problems with the current generation of OCSP stapling.