Loading…
Back To Schedule
Wednesday, January 25 • 3:00pm - 3:50pm
OCSP Stapling in the Wild

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Certificate revocation is a messy problem; certificate revocation lists and mid-handshake OCSP checks have proven unworkable in practice. The dream of TLS certificate revocation is Must-Staple: an extension in a certificate indicating that it can only be used alongside a stapled OCSP (Online Certificate Status Protocol) response indicating that the certificate hasn’t been revoked. If a Must-Staple certificate is compromised, the attacker can only use it for the short time window until the current OCSP response expires. But is the world ready for Must-Staple yet? Unreliable OCSP servers, buggy stapling implementations, and client and network misconfigurations (from mismatched clocks to MITM proxies) all present challenges. This talk examines the state of the world of OCSP stapling and describes Dropbox’s implementation of OCSP Stapling. To gather real data on the feasibility of deploying OCSP stapling, we will discuss the data we gathered from a Chrome feature called Expect-Staple, which is a report-only version of OCSP Must-Staple that lets us evaluate how well OCSP Must-Staple might work in the real world.

Speakers
avatar for Devdatta Akhawe

Devdatta Akhawe

Engineering Manager, Dropbox
Devdatta leads the Product Security team at Dropbox. Before that, he received a PhD in Computer Science from UC Berkeley. His graduate research focused on browser and web application security, during which time he also collaborated with the Firefox and Chrome teams.  He is a co-author... Read More →
avatar for Emily Stark

Emily Stark

Software Engineer, Google Inc.
Emily is a software engineer and manager working on the Google Chrome web browser. She leads Chrome’s secure transport team, which provides a foundation of trustworthy, understandable encrypted and authenticated connections for the web. She works on HTTPS adoption, certificate verification... Read More →



Wednesday January 25, 2017 3:00pm - 3:50pm PST
Sand and Sea Room