We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
Information about Firefox
angryparcel
Posts: 926 Forumite
in Techie Stuff
i just got the following info from my SSL cert wholesaler regarding Firefox
May 31, 2017
Firefox Will Disable OCSP Checking for DV and OV Certificates
The Revocation Mechanism Has Been Blamed for Delayed Page Loads
Mozilla will be experimenting with disabling OCSP checking due to performance concerns. OCSP, or Online Certificate Status Protocol, is one of the technical mechanisms used to check if a certificate has been revoked.
The change will be made in an upcoming version of Nightly – a pre-release version of Firefox dedicated to testing new features. If telemetry data shows that it’s best to disable OCSP checking for DV and OV certificates because it reduces the total time of the handshake, it will be brought to the consumer release of Firefox.
This will bring Firefox to par with other major browsers, including Chrome and Safari, which
OCSP Stapling – where the server provides the OCSP response directly to the client – will not be affected. Firefox will also continue to fetch OCSP responses for EV (Extended Validation) certificates.
OCSP has long been criticized as being broken. Because of the operational challenges of deploying the service at a global scale, OCSP often ends up in a situation where it “soft-fails” – meaning in the case that an OCSP check isn’t completed (because the server is down or the connection times out) the certificate is assumed to be valid. With soft-fail, it’s hard to see how OCSP provides any security benefits. Adam Langley, an engineer at Google, compared this problem to “a seat-belt that snaps when you crash.”
According to Mozilla’s telemetry, nearly 9% of successful OCSP checks take more than 1 second. This second adds to the time it takes to establish the SSL/TLS handshake, and represents a significant increase to overall load time.
In a very small number of cases (less than .05% of the time), a successful check takes over 3 seconds. While that is a very low rate it represents more than 4 million page loads.
Coincidently, Let’s Encrypt’s OCSP service failed earlier this month for about 12 hours, causing performance issues for websites using their certificates. Last year the CA GlobalSign also suffered an issue related to their OCSP servers. These incidents issues raise questions about the net value of OCSP and if it’s causing more harm than good.
David Keeler, a security engineer at Mozilla, wrote that “the plan is to monitor telemetry to see if this impacts TLS handshake time.” If there is a performance improvement, they will move forward with disabling the check in all versions of Firefox.
Improvements to OCSP were designed years ago – two additions to the protocol known as Stapling and Must-Staple intended to fix the performance, security, and privacy issues. However, Apache and NGINX, which are the most commonly used webservers, either implement these features poorly or not at all.
May 31, 2017
Firefox Will Disable OCSP Checking for DV and OV Certificates
The Revocation Mechanism Has Been Blamed for Delayed Page Loads
Mozilla will be experimenting with disabling OCSP checking due to performance concerns. OCSP, or Online Certificate Status Protocol, is one of the technical mechanisms used to check if a certificate has been revoked.
The change will be made in an upcoming version of Nightly – a pre-release version of Firefox dedicated to testing new features. If telemetry data shows that it’s best to disable OCSP checking for DV and OV certificates because it reduces the total time of the handshake, it will be brought to the consumer release of Firefox.
This will bring Firefox to par with other major browsers, including Chrome and Safari, which
OCSP Stapling – where the server provides the OCSP response directly to the client – will not be affected. Firefox will also continue to fetch OCSP responses for EV (Extended Validation) certificates.
OCSP has long been criticized as being broken. Because of the operational challenges of deploying the service at a global scale, OCSP often ends up in a situation where it “soft-fails” – meaning in the case that an OCSP check isn’t completed (because the server is down or the connection times out) the certificate is assumed to be valid. With soft-fail, it’s hard to see how OCSP provides any security benefits. Adam Langley, an engineer at Google, compared this problem to “a seat-belt that snaps when you crash.”
According to Mozilla’s telemetry, nearly 9% of successful OCSP checks take more than 1 second. This second adds to the time it takes to establish the SSL/TLS handshake, and represents a significant increase to overall load time.
In a very small number of cases (less than .05% of the time), a successful check takes over 3 seconds. While that is a very low rate it represents more than 4 million page loads.
Coincidently, Let’s Encrypt’s OCSP service failed earlier this month for about 12 hours, causing performance issues for websites using their certificates. Last year the CA GlobalSign also suffered an issue related to their OCSP servers. These incidents issues raise questions about the net value of OCSP and if it’s causing more harm than good.
David Keeler, a security engineer at Mozilla, wrote that “the plan is to monitor telemetry to see if this impacts TLS handshake time.” If there is a performance improvement, they will move forward with disabling the check in all versions of Firefox.
Improvements to OCSP were designed years ago – two additions to the protocol known as Stapling and Must-Staple intended to fix the performance, security, and privacy issues. However, Apache and NGINX, which are the most commonly used webservers, either implement these features poorly or not at all.
0
Comments
-
Does this really worry you?0
-
-
Thanks angry parcel.
A good 'Heads Up' and relevant to many, including myself.
And yes, it 'worried' me!I think this job really needs
a much bigger hammer.
0 -
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 353.5K Banking & Borrowing
- 254.1K Reduce Debt & Boost Income
- 455K Spending & Discounts
- 246.6K Work, Benefits & Business
- 602.9K Mortgages, Homes & Bills
- 178.1K Life & Family
- 260.6K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards