(4 votes, average: 5.00 out of 5)
Loading...OCSP vs. CRL: What is the Difference?
(4 votes, average: 5.00 out of 5)Loading...
Browsers verify the validity of a website’s TLS certificate before connecting to it, and they display a warning message if the certificate has been revoked. OCSP, CRLs, OCSP must-staple, and OCSP stapling are revocations status-checking techniques browsers use. This article analyses and compares two techniques, named CRL vs OCSP.
The Certificate Authority (CA) that issues each SSL/TLS certificate (Certera, Comodo or Sectigo) assigns an expiration date to every certificate. However, a CA can revoke certifications early in specific situations. A website with a revoked certificate is considered insufficiently trustworthy, and most browsers will warn users about it or prevent them from accessing it.
However, here the query is – how can online users identify whether the website’s certificate has been revoked? Two frequently used methods for determining the status of TLS certificate revocation are OCSP (the online certificate status protocol) and CRLs (certificate revocation lists). Although OCSP is utilized more frequently, CRLs are still in use.
Let’s focus on the difference between OCSP and CRLs.
What is CRL?
A Certification Revocation List (CRL) is a collection of digital certificates that the issuing Certificate Authority (CA) has revoked before the intended expiration date and, as a result, is no longer reliable or trusted.
The CA Security Council describes a CRL as “A digitally signed file including a collection of revoked certificates that haven’t yet expired.”
A CRL is defined by RFC 5280 as “a time-stamped and signed data structure that a certificate authority (CA) or CRL issuer constantly issues to communicate the revocation status of affected digital certificates.“
In simple words, a Certificate Revocation List is an endless list of websites with SSL certificates that have been revoked, and it is created and updated regularly by the issuing certificate authority. The URL for the list is distributed using a certificate extension called a CRL Distribution Point (CDP), where CAs store their CRLs. For client browsers intending to connect to the specified sites, this URL makes the CRLs accessible.
The general scenario will be like this; a client browser approaches the issuing CA of the site certificate for the CRL whenever it seeks to connect to a website. The browser then checks the list to see if the web server certificate’s serial number exists:
- The certificate is legitimate; the browser will permit the connection if it is not on the list.
- The browser will display a warning that accessing the site could be harmful if the certificate serial number is on the list, indicating that the certificate was recently revoked. Many current browsers won’t even attempt to connect in this type of scenario.
What is OCSP?
The Online Certificate Status Protocol (OCSP) is an approach for notifying consumers about revoked certificates. OCSP is an internet-based protocol that allows apps to check the status of specified certificates’ revocation without requiring Certificate Revocation Lists (CRLs). Compared to CRLs, OCSP allows for more immediate information on revocation status.
With the OCSP, the OCSP responder or OCSP server communicates the requested TLS certificate’s status. Three different certificate categories or types are possible:
- Good: Your web browser will connect to the website since the TLS certificate is legitimate.
- Revoked: The TLS certificate was revoked, resulting in a warning from the browser and a possible connection failure- referred to as a “hard fail.”
- Unknown: The OCSP responder failed to respond; therefore, depending on the browser and its setup, the browser may or may not make a connection. – referred to as a “soft fail.”
- When a client browser attempts to connect to a website with a revoked certificate, it will display “Your Connection is not Private.”
See this warning from your customer’s perspective – it is undoubtedly not a pleasant sight. Your website is unsafe, which exposes any data you (as a client) provide with that website in threat of man-in-the-middle (MitM) attacks. If prospective customers or clients get such cautionary statements, it might turn them off. And once that happens, they’ll be more inclined to give their business to other companies.
Differences between CRL vs OCSP
We understand the terms “OCSP” and “CRL.” Now let’s compare the characteristics of CRLs and OCSP.
As we know, CRL and OCSP are approaches used to determine TLS certificate status. There are a few differences between CRL vs OCSP.
Primary Duty
The client’s browser oversees checking the TLS certificate’s status in both techniques. When using the CRL technique, the browser communicates with the CRL distribution point, and when using OCSP, the client communicates with the OCSP responder. Therefore, the browser has accountability/responsibility for verification in both cases.
The Methodology
The CA, which constantly publishes a list of revoked certificates, maintains the CRL. Clients must download the CRL to determine if a certificate has been revoked. However, to check the certificate’s status, OCSP requires direct communication between the client and the OCSP responder.
Fastness and Resources
The browser must download all revoked certificates to find the certificate serial number through the CRL approach. Consequently, the procedure could take longer than simply checking OCSP for a single certificate’s revocation state. Since downloading the response for a single website requires fewer network resources than downloading the CRL, OCSP is less resource-intensive competitively.
Communication Issues
We’ve all experienced situations where our internet connections have crashed. Consequently, what will occur if the responder’s network is down for any reason? Due to the responder’s “unknown” response, connections with OCSP are likely to be terminated. CRLs, however, are stored offline after they are obtained, so the browser may access them frequently without requiring re-establishing a connection with the CA.
A Quick Comparison Table of the Two Revocation Checking Approaches: OCSP vs CRL
The difference between OCSP vs CRL is listed below.
| OCSP | CRL |
| Specifies only the website’s revocation information for the requested one. | Displays all certificates that a CA has revoked. |
| Checks fewer URLs at once, using fewer network resources. | Checks a single URL using more network resources than OCSP. |
| CRL provides a comprehensive list of revoked certificates. | OCSP only provides the state of a particular certificate’s revocation. |
| Verifying the revocation status of a certificate for a specific site requires less time than using CRLs. | Revocation status verification requires more time than OCSP to examine the certificate for a specific site. |
| Continuous updates are available | It does not offer immediate updates on the status of a TLS certificate’s revocation |
Wrap UP
Before connecting to a website, browsers verify the validity of the SSL/TLS certificate for that website. This article gives Comprehensive details on “Certificate Revocation List vs OCSP.” Both approaches are crucial tools for verifying the authenticity of digital certificates; they are used to check the revocation status of TLS certificates. Nevertheless, how they perform differs significantly.
OCSP provides the revocation status of the specific website the browser requested, whereas a CRL displays all the revoked certificates. The organization’s needs and the specific demands of the application will determine which option is best. While OCSP offers revocation checking that is simpler and more efficient, CRL offers a list of revoked certificates that is more detailed and comprehensive.
For various applications and circumstances, each technique undoubtedly offers benefits and drawbacks. However, as OCSP becomes the industry standard, CRLs are becoming considerably less used.
