I was testing one of the websites and found some extra requests in Firefox,
Like -
https://search.servi…S/SG/default/default
http://ocsp.entrust.net/
http://ocsp.digicert.com/
These requests aren’t included in page, also they do not appear when I tested same web page from different browsers (IE and Chrome) on same machine.
Also will blocking these requests for the run would help?
Please take a look -
http://www.webpagetest.org/result/151227_1K_f38b82b45e35c8b4f1dc48e4804da710/1/details/
Firefox (and all browsers) implement what’s called as OCSP stampling. This article explains the behavior: OCSP Stapling in Firefox - Mozilla Security Blog. It looks like the Firefox has been hardened to verify the TLS cert validity.
tl;dr; - The income tax site is not sending the certificate validity information and FF is defaulting to the OCSP check. This can be disabled through the browser’s “about:config” setting. This will not be possible on WPT public instance.
For your use case, you could just block the domain and re-test. However, I’d suggest you to not do this. My suggestion would be to run 2 tests with the OCSP domains blocked and not blocked. You should consider both the response since some browsers (esp those behind corporate proxies) would be hardened to check for OCSP signatures.