What is OCSP Stapling and how do I use it?

At 20i, we have recently released support for OCSP Stapling with our free CDN. Content served through our CDN now automatically receives a signed OCSP response as part of the initial SSL/TLS handshake.

This results in even faster load times for visitors using a browser that supports OCSP Stapling, such as Firefox, Google Chrome, Opera, Safari and Microsoft Edge.

In this post, we will delve into what OCSP Stapling is, how it seamlessly integrates with our CDN and how it benefits you and your websites.

What is traditional OCSP?

OCSP, or the Online Certificate Status Protocol, is used to check the status of an SSL/TLS certificate.

This protocol queries the certificate authority (CA) to see if the certificate has been revoked since it was issued.

This is a crucial process in ensuring that a website is secure – and not just pretending to be. Insecure sites can result in visitors falling victim to Man-in-the-Middle attacks and a host of other security breaches.

While traditional OCSP plays a vital role in cyber security for websites; it also comes with its drawbacks. One issue with traditional OCSP is the latency caused by the CA’s servers being slow or unresponsive. The CA can log the IP of the user making the OCSP request and use this to track what sites they are visiting – a significant privacy concern.

What is OCSP Stapling?

OCSP Stapling addresses the shortcomings of traditional OCSP by shifting the responsibility of fetching the OCSP response from the client’s browser to the webserver.

Instead of the client’s browser querying the CA to check the certificate, the webserver periodically requests a signed OCSP response from the CA.

The webserver will then ‘staple’ the response to the SSL/TLS handshake process.

What are the benefits of OCSP Stapling?

Eliminating the process of a client’s browser making OCSP requests results in much faster load times when establishing a secure connection.

This difference is especially apparent on high-traffic websites or website networks that typically suffer from poor latency.

OCSP Stapling also protects the privacy of end-users by preventing the CAs from seeing requests from individual users.

With the OCSP request being made from the webserver, rather than the client’s browser, the CA cannot see the user’s IP address or use this to track what websites they are visiting.

OCSP Stapling is supported by many modern web servers and web browsers, making its implementation straightforward and commonplace.

20iCDN with OCSP Stapling

Our CDN is included free of charge with all our Managed Hosting,  and Reseller Hosting.

20iCDN has many nodes at strategic locations throughout the world, which store cached versions of your content.

Having content ready to be delivered from these nodes, as opposed to from an origin centre that could be hundreds of miles away, dramatically improves website load speeds. The CDN nodes utilise our bespoke web optimisation tools, caching tools and configurable security headers and statistics.

Search engines favour fast-loading websites. Having your sites hosted on a platform with a performant CDN contributes positively to your SEO efforts.

Implementing OCSP Stapling within our CDN takes this one step further by reducing the time needed to establish secure connections.