Browsers actually validate the certificate through CRL / OCSP for EV sites, if I... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		noinsight on Dec 22, 2015 \| parent \| context \| favorite \| on: What web developers should know about SSL Browsers actually validate the certificate through CRL / OCSP for EV sites, if I recall correctly. That takes time and adds latency and there are differences between CA's in OCSP server performance. Your location can obviously impact performance too. If you're performance conscious you might want to take this into account. This is actually something people don't consider when they say certificates should be free - running these CRL / OCSP servers costs money. https://www.imperialviolet.org/2012/02/05/crlsets.html Netcraft does OCSP responder performance analytics: http://uptime.netcraft.com/perf/reports/performance/OCSP

dan1234 on Dec 22, 2015 [–]

Would I be right in thinking OCSP stapling would avoid the extra trip in this instance?

noinsight on Dec 22, 2015 | [–]

Yes. It's meant to lessen the load on the OCSP responders and improve performance. The server will periodically fetch the OCSP response and serve it to clients so not every client needs to do it themselves.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact