why big sites do not use ocsp stapling?

2.2k views Asked by At

I learnt something about ocsp recently. I check ocsp stapling of site by command like:

$openssl s_client -connect www.stackoverflow.com:443 -status -servername www.stackoverflow.com

I found my own site and stackoverflow and some other small sites have ocsp settings. They have OCSP Response Data field in command response.

But when I check some big sites like google.com, github.com, facebook.com, they don't have such a field. And I get OCSP response: no response sent.

So why they don't use it?

2

There are 2 answers

1
Alexandre Fenyo On

To protect your users, as a web server, you must use OCSP must staple. But even in such a situation, you need to consider that OCSP responses that are given are often valid for multiple days, so an attacker can get an OCSP valid status for a server certificate before the certificate was revoked, and insert it as an OCSP stapled status during its MitM attack to a web client (of course, the attacker must be the same that hacked the certificate and for which the certificate has been revoked). So, a browser, that would not support OCSP stapling and that would require OCSP, would be protected. A browser supporting OCSP stapling would not be. This is one of the reasons why OCSP stapling is not the ultimate choice. there are some cases where it is a less secure way to avoid security flaws, and some other cases where it is useless. Even if it is not a bad attempt to get more trust on the Internet, of course.

So, some big companies like Google offer other means to protect their customers and users using their browsers: they want to offer a more secure experience to their users, comparing to other browsers, because their goal is to get more users. For this purpose, Google Chrome implements the proprietary CRLSets mechanism.

The same companies and others also want to promote other ways for people to get (back) trust on the Internet. For instance, some companies follow Google to promote the Certificate Transparency mechanism. So, this would be a bad idea, politically speaking, to implement OCSP stapling on their site and working for another trust mechanism for the Internet.

The best paper I've read about certificate revocation and the means to protect your users is here: https://arstechnica.com/information-technology/2017/07/https-certificate-revocation-is-broken-and-its-time-for-some-new-tools/

0
Taha Jahangir On

Probably because it saves some bytes in response.

Alexandres's answer (especially the bolded text) may be correct for google.com, but not for facebook.

OCSP stapled response's presence in every TLS connection takes many bytes. What would happen if no stapled OCSP exists in response? Client would send a OCSP verify request to the original server and cache the response for several days. For popular websites like google and facebook, users visit pages several times a day, and normally OCSP response is cached at client and no extra OCSP request is required (e.g. only 2% of clients need actual OCSP request).

So for these popular sites, removing OCSP stapling (and saving a hundred bytes for 98% of requests) is a better choice than making a site faster for 2% of requests.