Firefox 25 gets OCSP Stapling which improves privacy - gHacks Tech News

Firefox 25 gets OCSP Stapling which improves privacy

by Martin Brinkmann on August 01, 2013 in Firefox - No comments

The Online Certificate Status Protocol (OSCP) is being used by Firefox to retrieve certificate information. This happens when you connect to a https website in the browser. What it does basically is ask a Certificate Authority (CA) whether the certificate of the server is genuine or if there are any problems associated with it.

Certificates can be revoked for example, for instance when a private key has been lost, the domain was transferred to a new owner, or if there has been a hiccup when it was issued.

Firefox currently handles this by doing the following:

  • Connects to a https website and receives the certificate of that site.
  • Communicates with the CA to find out whether the certificate is valid.
  • Connects to the site if it is, or not if it is not.

This works considerably well but has two distinct disadvantages. First, it is necessary to connect to the CA whenever a certificate needs to be verified. This not only adds another connection to the process, but also leaks to the CA which website you are visiting.

Second, if a connection to a CA cannot be established by the browser, it must either select to terminate the connection because it cannot verify the authenticity of the certificate, or connect to the site anyway even if there is a chance that the certificate has been retracted.

Firefox by default allows the connection to go through in this case. This is not ideal as noted, and you can modify that setting to change it to termination instead.

  1. Type about:config into the browser's address bar and hit enter.
  2. Search for security.OCSP.require.
  3. Double-click the entry to set it to true. The default value is false.

firefox security ocsp require

OCSP Stapling

The new OCSP Stapling feature that has just landed in Firefox Nightly resolves both issues. It moves the certification verification step to the website. A https server checks with a CA regularly if the certificate is ok, and will receive the information that it is or isn't from it.

When you connect to the site in question, you not only get the certificate in the transfer, but also the signed assertion of the CA. Firefox verifies the data and will connect to the site if everything looks alright, or won't if it does not.

If a site does not support OCSP Stapling, Firefox will fall back to OCSP instead. According to Mozilla, OSCP Stapling has been implemented into web servers such as Apache or nginx. It still needs to be enabled before it becomes available.

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Donate via PayPal

Comments

There are no comments on this post yet, be the first one to share your thoughts!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.

Spread the Word

Ghacks Newsletter Sign Up

Please click on the following link to open the newsletter signup page: Ghacks Newsletter Sign up

Advertisement

This Day in History

Advertisement

Popular Posts

Advertisement

Recently Updated

About gHacks

Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.

© 2018 gHacks Technology News. All Rights Reserved.