Incapsula proxies now serve TLS certificates with online certificate status protocol (OCSP) stapling, which improves performance for TLS sites using the Incapsula Web Protection service. This eliminates the need for clients to contact the certificate authority (CA) on each request in order to check the revocation status of the certificate.
To understand the improvement, we must dig into the details of TLS interaction from your web browser. You will notice that the address of many web sites, such as www.incapsula.com, starts with HTTPS, rather than HTTP. This indicates that traffic to that site is encrypted, so that no one can eavesdrop on your communication with the site. The encryption is provided by the TLS protocol between your browser and the web server it is accessing.
A TLS certificate with the encryption keys must be provided and signed by a recognized certificate authority. This is great since it protects the user, but validity of the certificate must be ensured to preclude eavesdropping or attack. Since the certificate of a site can be revoked by the authority at any time, if it is compromised, the ongoing validity of the certificate must be checked at all times.
Traditionally this validation has been done on each access to the site. Using OCSP the client browser sends the certificate to the CA, not to the web server, and the CA responds with the status of the certificate.
This ensures validity, but has a number of disadvantages.
- These requests take time and increase the response time to your request. In other words, the page you want to view will appear more slowly since it negatively affects page load time.
- It places a significant burden on the CA which must respond to each request.
- It compromises your privacy and that of the site you are accessing, since the CA has knowledge of each site you are accessing.
To overcome these disadvantages while maintaining validity, the OCSP stapling standard provides another method to validate that the certificate has not been revoked. OCSP stapling is accomplished with these steps.
- The web server of the TLS encrypted site periodically, in the background, queries the CA, which responds with the certificate status (as it did prior to stapling) and a digitally signed time stamp.
- When a web browser connects to that server, the server responds with the TLS certificate (as it did prior to stapling), and attaches (hence the term “stapling”) the signed time stamp.
- With the time stamp, the browser verifies that the certificate is still valid.
You now have the equivalent functionality, without the overhead of multiple requests.
OCSP stapling is now implemented in the major browsers. Now that Incapsula has configured the WAF for OCSP stapling, you will benefit from the improved performance. If you are fortunate to already have TLS protection on your site, you will notice the performance improvement. If not, now is an opportune time to add TLS support to your site. You will benefit from the additional security, without the disadvantages of standard OCSP.
If you do not yet have the Incapsula web protection, there is now an additional reason to consider adding it.