EV certificate nightmare

AndreasLoew · November 20, 2015, 11:37pm

Hi,

I’ve recently added EV certificates to my page - because I thought it would improve the quality of my webpage.

I now found out that they add a big delay of up to 22s in China, Russia and India until the first byte is sent. I am not talking about milliseconds - I am talking about seconds!

It’s looking like this: DNS loop up, pause, transfer:
http://www.webpagetest.org/result/151120_YK_XFG/
http://www.webpagetest.org/result/151120_28_H1J/
http://www.webpagetest.org/result/151120_6T_DGN/

It’s not from all locations - e.g. NY is fine:
http://www.webpagetest.org/result/151120_7R_Y91/1/details/

I first thought the problems were on my side - but it’s the same problem on different pages, different certificates. Here are some examples - including Apple’s https page:
http://www.webpagetest.org/result/151120_7C_12BP/
http://www.webpagetest.org/result/151120_V9_102E/

I meanwhile found out that the issue is related to OCSP - which is used to check if the webpage’s certificate was revoked.

The browser does several checks to validate - each of them takes up to 5 seconds. Since all the services run with the same time it seems that the validations run into a timeout.

I’ve contacted globalsign - the issuers of my certificate - they confirm the problems.

They propose a technique called OCSP stapling but it does not solve the issue. The problem is that the EV certificates contain 3 levels. And even if you use stapling the intermediate certificate is still validated. It reduces the time to about 14 seconds.

The problem for me is that you simply can’t do anything. The user just sees a white screen. You can’t react on it because it’s even before your web page sends the first byte of data.

The only good news is: After the certificate is validated things seem to go smooth. The data is sent within 1s. It’s just the first validation.

Does anybody have an idea what to do? I mean: Except for not using the EVs?

Best
Andreas

GreenGecko · November 23, 2015, 12:54am

You can add your intermediate certs to your cert info.

Here’s some basic info on setting it all up… Digital Ocean are great at this sort of thing.

agoralski · December 3, 2015, 1:21pm

Hi Andreas,

We’re facing a similar issue, however the delay is not so dramatic, but still significant. You’re abolutely right - it’s about OCSP, and yes - enabling stapling on your server will remove just one request, that the browser will not make. It’ll however still contact OCSP servers and check the validity of all the other certificates in the chain.

You can observe it, if you enable tcpdump logging (in WBT), or you can change the browser engine to firefox on WBT - then you’ll be able to see the idividual OCSP requests the browser makes in the background (http). Which brings me to a different issue - debugging OCSP is HARD, on desktop browsers you can’t see that OCSP traffic at all.

I checked your site - and the delay is not so dramatic now - so maybe it was a networking issue, from your location to the OCSP servers.

Test here:
http://www.webpagetest.org/result/151203_NE_N6A/

This test is using firefox, so you can see the individual OCSP requests, in your case - there are two. In case of increased latency, use can use the firefox to debug, which OCSP server is slowing your down. You can also visit:

http://uptime.netcraft.com/perf/reports/performance/OCSP

Then you could contact your cert provider and work out the solution.

To see the current latency of all OCSP servers monitored from several locations in the world, but unfortunately, not from Russia.

In a nutshell, when using EV certs - the browser seems to be more aggresive with checking the OCSP states before continuing with the connection, I guess the browser wants to make sure that everything is valid before sending the request which might potentially include some user credentials for example.

So, yeah, seems the EV will slow things down. Have a look here, I made a comparsion between a EV (OCSP stampling: yes) site and non EV site (OCSP stampling yes) of my own domain.

The only difference was the certificate.

With EV:
http://www.webpagetest.org/result/151203_KG_PQQ/1/details/

Without EV (cheap’o $9 cert):
http://www.webpagetest.org/result/151203_NA_PYF/1/details/

In the end: “price” for the green bar (EV) is 400ms. Is it worth it?

Cheers,
Arek

Topic		Replies	Views
Gap Between DNS Lookup and Initial Connection Discuss Test Results	6	140	July 21, 2017
SSL negotiation taking 2-9 seconds Support	11	92	September 16, 2013
Extra request to rapidssl Support	1	65	January 15, 2015
Need some help interpreting a test result Discuss Test Results	1	120	December 17, 2013
firefox +wptagent -- slow SSL negotiation times Private Instances	1	148	July 9, 2018

EV certificate nightmare

Related Topics