What is OCSP?

A well-known saying goes: Trust is good, control is better. This is especially true in the field of data security and privacy on the internet. Even though encrypting communication with an SSL certificate is now standard practice, it does not guarantee absolute security. If the certificate has expired, the data traffic is no longer protected. The network protocol OCSP provides a way to validate the status of a certificate.

What is OCSP?

The Online Certificate Status Protocol (OCSP) is a network protocol that allows determining the status of an SSL certificate. An inquiry is sent to an OCSP Responder, which is often a server operated by the certificate issuer.

The Responder can respond to the inquiry with the following statuses:

• good: The certificate is not revoked.
• revoked: The certificate is invalid or revoked.
• unknown: The status of the certificate is unknown. This could happen if the issuer is unknown to the Responder.

What does it mean when certificates are revoked?

Why are certificates revoked?

When websites are encrypted via SSL, their respective certificates are secured with a public and a private key. Some basic data about the certificate owner is also stored in the Certificate Signing Request (CSR). When a browser accesses an encrypted website, it sends a request to the certification authority. The authority confirms the certificate's validity using the public key.

SSL certificate validation is done automatically by the browser. However, there is a possibility that hackers may have obtained the certificate and redirected responses.

If this happens, the issuer - one of the many certification authorities - is required to immediately revoke the certificate. The client accessing the website, however, cannot verify this if the response expected from the certification authority has been manipulated. This could lead to the browser request being redirected to an external server, making it appear as the responsible certification authority in the system. In such a scenario, data traffic would no longer be secure and could be intercepted by third parties.

The OCSP Network Protocol and Its Limitations

While OCSP can determine the status of various SSL certificates, the network protocol cannot provide comprehensive information about their validity. Other factors come into play that need to be checked separately.

These factors include:

• Validity Period: SSL certificates have a limited validity period. If this period is exceeded, the website is no longer secure.
• Certification Path: The certification path reveals the hierarchy of the certification authorities involved. Only trusted parties should be found here.

OCSP is an effective tool for verifying an SSL certificate. However, it alone does not provide absolute security. It does, however, significantly reduce the risk of being harmed by a compromised certificate.

Image Credit: Gerd Altmann on Pixabay