Current time: 02-18-2020, 02:40 AM Hello There, Guest! (LoginRegister)

Post Reply 
 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
EV certificate nightmare
12-03-2015, 11:21 PM
Post: #3
RE: EV certificate nightmare
Hi Andreas,

We're facing a similar issue, however the delay is not so dramatic, but still significant. You're abolutely right - it's about OCSP, and yes - enabling stapling on your server will remove just one request, that the browser will not make. It'll however still contact OCSP servers and check the validity of all the other certificates in the chain.

You can observe it, if you enable tcpdump logging (in WBT), or you can change the browser engine to firefox on WBT - then you'll be able to see the idividual OCSP requests the browser makes in the background (http). Which brings me to a different issue - debugging OCSP is HARD, on desktop browsers you can't see that OCSP traffic at all.

I checked your site - and the delay is not so dramatic now - so maybe it was a networking issue, from your location to the OCSP servers.

Test here:
http://www.webpagetest.org/result/151203_NE_N6A/

This test is using firefox, so you can see the individual OCSP requests, in your case - there are two. In case of increased latency, use can use the firefox to debug, which OCSP server is slowing your down. You can also visit:

http://uptime.netcraft.com/perf/reports/...mance/OCSP

Then you could contact your cert provider and work out the solution.

To see the current latency of all OCSP servers monitored from several locations in the world, but unfortunately, not from Russia.

In a nutshell, when using EV certs - the browser seems to be more aggresive with checking the OCSP states before continuing with the connection, I guess the browser wants to make sure that everything is valid before sending the request which might potentially include some user credentials for example.

So, yeah, seems the EV will slow things down. Have a look here, I made a comparsion between a EV (OCSP stampling: yes) site and non EV site (OCSP stampling yes) of my own domain.

The only difference was the certificate.

With EV:
http://www.webpagetest.org/result/151203...1/details/

Without EV (cheap'o $9 cert):
http://www.webpagetest.org/result/151203...1/details/

In the end: "price" for the green bar (EV) is 400ms. Is it worth it?

Cheers,
Arek
Find all posts by this user
Quote this message in a reply
Post Reply 


Messages In This Thread
EV certificate nightmare - AndreasLoew - 11-21-2015, 09:37 AM
RE: EV certificate nightmare - GreenGecko - 11-23-2015, 10:54 AM
RE: EV certificate nightmare - agoralski - 12-03-2015 11:21 PM

Forum Jump:


User(s) browsing this thread: 1 Guest(s)