Certificate Authorities form group to push for better certificate-revocation checking

The newly formed Certificate Authority Security Council will raise awareness about OCSP stapling

By Lucian Constantin, IDG News Service |  Security

"The CASC plans to educate affected parties in the coming months through blog posts, conference presentations, and other resources that will help people learn about OCSP stapling and make it easier for web server administrators to understand how to enable OCSP stapling on their servers," CASC said Thursday on its website. "We also plan to encourage wider adoption of this critical technology among software vendors and browsers."

According to CASC, OCSP stapling is supported by Microsoft's IIS (Internet Information Services), the newest versions of Apache and nginx Web servers, as well as the major browsers.

Ivan Ristic, the director of engineering at security firm Qualys, who runs the SSL Labs and SSL Pulse projects, believes that encouraging OCSP stapling adoption is a very good idea. However, it will take some time until the technology is widely adopted, because there are still some issues, he said.

For example, OCSP stapling is supported in Apache 2.4.x, but this version of the server is not widely used, Ristic said. "It's not installed by default in any of the major [Linux] distributions, as far as I know," he said.

If you want to support OCSP stapling today, you have to go out of your way, download Apache 2.4.x from the Apache Software Foundation website, compile it from source and so on, Ristic said. "So yes, it will take some time until this capability [OCSP stapling] is distributed widely so that people can use it."

"We'll have to work on raising awareness and from that perspective I think that what CASC is doing is great, because the community as a whole needs to learn how to do it," Ristic said.

SSL Labs, a project that monitors the SSL implementation on the world's top 180,000 HTTPS-enabled websites doesn't collect information about OCSP stapling. However, according to statistics released by Opera developer Yngve Nysaeter Pettersen, who runs the TLS Prober project, roughly 7 percent of HTTPS servers supported OCSP stapling as of October 2012.

Support on the client side is hard to estimate because there are so many products and old software out there, Ristic said. "I have a project that performs passive client SSL monitoring and I use it on ssllabs.com. I've just run some statistics on the collected information and exactly 30 percent of browser clients supported OCSP stapling. This number is very dependent on the type of visitor/browser one has on a Web site, but can be taken as a rough measurement," he said.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question