The widely-used HTTPS protocol relies on Transport Layer Security (TLS) to enable users to browse websites correctly and confidentially. Verifying the validity of HTTPS certificates is essential, and the Online Certificate Status Protocol (OCSP) plays a key role in checking certificate validity. However, OCSP itself faces examinations due to issues such as delays and privacy concerns. Moreover, all components involved in the OCSP protocol—web server software, OCSP responders, and browsers—often fail to adequately support Active OCSP, OCSP Stapling, and OCSP Must-Staple. To explore the current state of the OCSP ecosystem, we conducted large-scale scans of domains in the Tranco list in October 2023 and November 2024, and performed a month-long evaluation of their corresponding OCSP responders in both periods. We analyzed the support for OCSP from browsers and web server software. We found that none of the components adequately supports OCSP: Most OCSP responders experienced inaccessibility, and no web server software fully and correctly supported OCSP Stapling. Furthermore, most browsers do not respect OCSP Must-Staple and often neglect OCSP revocation checks.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Exploring the HTTPS OCSP Ecosystem: A Comprehensive Study

  • HengSheng Wang,
  • ShuShang Wen,
  • Wei Wang

摘要

The widely-used HTTPS protocol relies on Transport Layer Security (TLS) to enable users to browse websites correctly and confidentially. Verifying the validity of HTTPS certificates is essential, and the Online Certificate Status Protocol (OCSP) plays a key role in checking certificate validity. However, OCSP itself faces examinations due to issues such as delays and privacy concerns. Moreover, all components involved in the OCSP protocol—web server software, OCSP responders, and browsers—often fail to adequately support Active OCSP, OCSP Stapling, and OCSP Must-Staple. To explore the current state of the OCSP ecosystem, we conducted large-scale scans of domains in the Tranco list in October 2023 and November 2024, and performed a month-long evaluation of their corresponding OCSP responders in both periods. We analyzed the support for OCSP from browsers and web server software. We found that none of the components adequately supports OCSP: Most OCSP responders experienced inaccessibility, and no web server software fully and correctly supported OCSP Stapling. Furthermore, most browsers do not respect OCSP Must-Staple and often neglect OCSP revocation checks.