Firefox 25 gets OCSP Stapling which improves privacy

firefox security ocsp require
Martin Brinkmann
Aug 1, 2013
Firefox
|
0

The Online Certificate Status Protocol (OSCP) is being used by Firefox to retrieve certificate information. This happens when you connect to a https website in the browser. What it does basically is ask a Certificate Authority (CA) whether the certificate of the server is genuine or if there are any problems associated with it.

Certificates can be revoked for example, for instance when a private key has been lost, the domain was transferred to a new owner, or if there has been a hiccup when it was issued.

Firefox currently handles this by doing the following:

  • Connects to a https website and receives the certificate of that site.
  • Communicates with the CA to find out whether the certificate is valid.
  • Connects to the site if it is, or not if it is not.

This works considerably well but has two distinct disadvantages. First, it is necessary to connect to the CA whenever a certificate needs to be verified. This not only adds another connection to the process, but also leaks to the CA which website you are visiting.

Second, if a connection to a CA cannot be established by the browser, it must either select to terminate the connection because it cannot verify the authenticity of the certificate, or connect to the site anyway even if there is a chance that the certificate has been retracted.

Firefox by default allows the connection to go through in this case. This is not ideal as noted, and you can modify that setting to change it to termination instead.

  1. Type about:config into the browser's address bar and hit enter.
  2. Search for security.OCSP.require.
  3. Double-click the entry to set it to true. The default value is false.

firefox security ocsp require

OCSP Stapling

The new OCSP Stapling feature that has just landed in Firefox Nightly resolves both issues. It moves the certification verification step to the website. A https server checks with a CA regularly if the certificate is ok, and will receive the information that it is or isn't from it.

When you connect to the site in question, you not only get the certificate in the transfer, but also the signed assertion of the CA. Firefox verifies the data and will connect to the site if everything looks alright, or won't if it does not.

If a site does not support OCSP Stapling, Firefox will fall back to OCSP instead. According to Mozilla, OSCP Stapling has been implemented into web servers such as Apache or nginx. It still needs to be enabled before it becomes available.

Advertisement

Related content

Firefox-maker Mozilla's boosted revenue significantly in 2023, but the financial report may also raise concern
Apple releases iCloud Passwords extension for Firefox, but only for macOS Sonoma

Apple releases iCloud Passwords extension for Firefox, but only for macOS Sonoma

How to enable Tab Groups in Firefox
Mozilla plans to use Firefox's installer to set it as the default browser on Windows 11

Mozilla plans to use Firefox's installer to set it as the default browser on Windows 11

Firefox 133 comes with Bounce Tracking Protection and other enhancements

Firefox 132: Mozilla paves way for 4K Netflix playback

Tutorials & Tips

How to fix OneTab not working in Firefox

What are Firefox Containers?

How to import tabs from Chrome to Firefox and vice versa


Previous Post: «
Next Post: «

Comments

There are no comments on this post yet, be the first one to share your thoughts!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.

Advertisement

Spread the Word

Advertisement

Advertisement

Recently Updated

Advertisement

About gHacks

Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.

The name and logo of Ghacks are copyrights or trademarks of SOFTONIC INTERNATIONAL S.A.
Copyright SOFTONIC INTERNATIONAL S.A. © 2005- 2025 - All rights reserved