Hacker News new | comments | show | ask | jobs | submit login
OCSP Stapling: How CloudFlare Just Made SSL 30% Faster (cloudflare.com)
28 points by jgrahamc 1786 days ago | hide | past | web | 10 comments | favorite

It's nice that they've enabled this on their servers, but it comes with some caveats at the moment.

First, not all browsers support it. For example, no version of Firefox supports it at this time (see: https://bugzilla.mozilla.org/show_bug.cgi?id=360420).

Second, OCSP stapling was originally conceived for only the end entity cert. This means that if the browser wants to check intermediates for revocation that payload can't be stapled, but will still require an additional check. There are several in progress proposals (spearheaded by Opera) to resolve this, but it's not finalized yet. This negates some of the speed gain on browsers that do choose to do revocation checking with this level of rigor.

But guess what, you can join the stapling party even if you aren't a CloudFlare customer! If you're using Apache (2.3+) you can configure OCSP stapling for your own website with the SSLUseStapling directive. nginx also plans to support stapling with the 1.3 release (initial preview released early this month). You can also do stapling with IIS 7.5+ on Windows.

Edit: Others have asked what browsers currently support stapling. I believe only Opera and IE9+ (probably schannel in Win7, but possibly in Vista?) at this time. Chrome is publicly moving away from OCSP/CRL entirely in favor of aggregating that data themselves and pushing it down to clients via their own infrastructure, Firefox has that open bug, and Apple's roadmap for ocspd/securityd is obviously not known.

I'm a fan of cloudflare, but I'm disappointed they didn't thank or mention nginx in this blog post. Cloudflare uses nginx, which recently released OCSP support thanks to sponsorship from Comodo, DigiCert, and GlobalSign [1].

[1] http://nginx.org/en/CHANGES


That's very true, thanks to Maxim Dounin from Nginx[1] And Ryan Hurst[2] from GlobalSign

Making SSL faster is really important to be able to support "full https" websites, with HSTS headers[3] and Alternate-Protocol: spdy[4][5]

full disclosure, I do work for CloudFlare and on this particular feature :)

[1]http://nginx.com/news/nginx-ocsp-stapling.html [2]http://unmitigatedrisk.com/?p=100 [3]http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security [4]http://www.chromium.org/spdy/spdy-protocol/spdy-protocol-dra... [5]http://blog.cloudflare.com/introducing-spdy [6]ngxlua.org

But but but, cloudflare is making SSL 30% faster!@# :)

And they're launching 30 data centers (oh wait, they're deploying some machines in a DC...) and blah blah blah.

Sigh. Cloudflare is somewhat interesting, but very much still in the kiddie pool of CDNs.

It's goal isn't to be a fully featured CDN, CloudFlare is a whole suite of tools, use what you want, if you have something better use them with CloudFlare.

I wish there was a way to subscribe to just the technical posts on the CloudFlare blog, those are always informative. As it is, I can't even find a way to get an RSS feed for posts by particular authors.

Which browsers support this? I was under the impression that even the latest version of Chrome (22) doesn't have this.

As an aside $200 per month for a CDN is pretty cheap, how are they not charging by bandwidth used?

They are setup to make use of cheap/peering bandwidth.

Very cool stuff. CloudFlare just keeps getting more and more awesome.

Applications are open for YC Winter 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact