OCSP Stapling is one of the methods to check the revocation of the SSL/ TLS Certificates provided by the CA(Certificate authorities) in order to provide your users a better experience of your website and also make your website client friendly. So that your site feels legitimate. Thus, to dive deep into this, let’s get acquainted with few terms.
SSL/ TLS Certificate –
Secure Socket Layer/ Transport Layer Security is the certificate required by website as proof their legitimacy and have secure connections between web browsers and web server. They are also known as website security certificates.
Hypertext Transfer Protocol Secure, in simple terms when HTTP and SSL/ TLS are combined they provide a secure communication between the client (web browser) and web server.
CA stands for Certificate Authorities. They basically issues digital certificates to the web servers. They can as the third party for sanctioning the certificates in HTTPS to provide secure platform for browsing.
Certificate Revocation Lists, they are the list of digital certificates that are cancelled or revoked by the CA (Certificate authorities). It means that they cannot be trusted the client who is seeking a secure connection with the web server.
It stands for Online Certificate Status Protocol. It is an alternative to CRLS. It also checks whether the website’s certificate is revocked or not. It is just a better option than CRLS.
SSL/ TLS Handshaking –
It is the process that takes places when the client(web browser) is trying to form a connection with website’s server. In plain terms, it is to and fro communication between the web browser and web server. Its main purpose is to create an encrypted connection between the client and the web browser.
OSCP Stapling is also the process that is used to check the revocation of the digital certificates provided by the CA. CA needs an intermediator to communicate the certificate’s revocation information to the client and the web servers, and this where OCSP and CRLS becomes functional.
But why it is preferred over OCSP or CRLS because traditionally OCSP and CRLS use to burden the client( Web browser) to check the legitimacy of the SSL/ TLS certificates before connecting to the web server. However, after the introduction of the OCSP Stapling, it is now the task of the web server to contact the CA to prove its legitimacy in order to secure a distinguished platform for web browsers(clients) and also this enchances their site by taking load off the shoulders of the client. Thus, it proves why OCSP Staping a better option.
1. Sending OCSP Requests To CA – The web server sends an OSCP request to Certificate Authorities. The requests are sent every minute or hour according to preferred settings .
2. CA revert backs Timestamped data – CA sends back encoded data with approval back to the OCSP server.
3. Stockpiling timestamped data received – OCSP server uses this stockpiled or stapled data as proof or reference until it receive new timestamped data from CA.
4. Providing the Client Timestamped data – The OCSP server provides this cached data and in return it responses to the client during SSL/ TLS handshake with SSL/ TLS certificate as the proof of its legitimacy
Thus, Client(web Browser) trusts SSL/ TLS certificate and forms an encrypted connection with the web server.
With the help of the OCSP Stapling, the web server is able to constantly communicate with the OCSP Responder and keep it’s SSl/ TLS Certificate contemporary.
It enhances the speed of the SSL/ TLS handshake.It is a huge amelioration over the CRLS( Certificate Revocation List) which used to burden the clients as thy used to download the CRLS.
It also maintains the encrypted connection from the user’s end because CA are only able to see the OCSP requests sent by OCSP server and hence, the users data remains encrypted and user’s privacy is not disturbed. It also makes sure the validity of the of the SSl/ TLS certificates.
It is not quite popular among modern web browsers, like on google chrome it’s automatically disabled.
Between the envolvement of both the parties i.e. web server and the client, sometimes one end does not suppoer the OCSP Stapling. Suppose if the web Server does not support the OCSP Stapling then, the client have get back to the old methods of downloading the CRLS, in order to check the legitimacy of the web server and it takes up a lot of time and also sometimes causes chaos.
Moreover, OCSP Stapling could only sent a single certificate at the time of SSL/ TLS Handshake and to overcome this issue, new methods like Multi-level Stapling had been introduced, where one end can share multiple certificates to other end.
However, OCSP Stapling was quite a helpful tool when it was introduced. Modern times may have brought revised versions of stapling but OCSP Stapling contains its own importance and also acted as a stepping stone to new techniques that are now used to maintain encryption between the client and the web server.