TLS 1.3 and OCSP Stapling -Two Ways to Make HTTPS Sites Faster

For the last few years, the trend of moving towards encrypted browsing through HTTPS has been one of the most important developments on the Internet. With the free SSL certificates by Let’s Encrypt and Google openly promoting HTTPS protocol over the more widespread, but unsecure HTTP one, more and more sites have started to use SSL certificates.

We, at SiteGround, are very excited to announce that two recent developments in this area - TLS 1.3 and OCSP Stapling, which will make HTTPS sites faster, are already available on all our servers. Read below to learn how people using SSL will benefit from these innovations.

What is TLS 1.3?

The Transport Layer Security (TLS) protocol is the successor to the Secure Sockets Layer (SSL) protocol and is used by all sites that have an SSL certificate. (Actually a more correct name for these certificates would be TLS certificates, but the SSL turned out to be such a popular abbreviation that it stayed, even after the original SSL encryption protocol was no longer used). The TLS protocol provides secure communication between browsers and servers and the connection itself is encrypted by using the TLS handshake, a shared secret determined at the beginning of each session.

The TLS protocol has gone far too long without a significant update which is why version 1.3 is very welcome news industry-wide. There are two main parts of that update that will improve the web as a whole:

A faster handshake

Performance is important and with the growing percentage of encrypted sites, web encryption has to be as fast as possible. TLS 1.3 introduces improvements in the handshake, the secret code that enables a secure connection between a website and a browser. These improvements increase the speed of establishing encrypted connections.

Better security

TLS 1.3 removes obsolete and vulnerable features from TLS 1.2, including SHA-1, RC4, DES, 3DES, AES-CBC, MD5, and more.

How to enable and use TLS 1.3

You don’t have to do anything to use TLS 1.3, except wait for the browsers to start supporting it. All sites hosted at SiteGround are enabled with TLS 1.3, so no matter what browser is accessing your site and whether or not it uses TLS 1.3, you’ll know your site is ready. The moment major browsers release an update in which they default to TLS 1.3, it will immediately start working for your encrypted sites without any hassle at all.

What is OCSP Stapling?

All our shared and cloud servers are now utilizing OCSP (Online Certificate Status Protocol) stapling, which helps keep user information secure while decreasing the loading time. By allowing the browser to retrieve the SSL certificate information from the server directly instead of falling back to the Certificate Authorities server for each request, it improves the loading speeds for all SSL encrypted connections.

How does it make your site faster?

Each time you make a request to a page via HTTPS, the validity of the SSL certificate is checked. Certificates are issued by Certificate Authorities (CA) and on each request, the browser checks whether it's valid. With OCSP Stapling enabled, that check is handled by the server and your visitor’s browsers don't have to do it on every request.

How to use OCSP Stapling?

If you are on our shared or cloud accounts, you're already getting all the benefits of the OCSP Stapling for your sites with SSL certificate enabled Our DevOps team has rolled out an update on all our servers, enabling the technology for everyone. All you need to do is sit back and enjoy fast and secure web performance on your sites.

Product Development - Technical

Enthusiastic about all Open Source applications you can think of, but mostly about WordPress. Add a pinch of love for web design, new technologies, search engine optimisation and you are pretty much there!

10 Comments

  1. Reply October 10, 2018 / 09:24 EricSiteGround Team

    Great news indeed! Faster sites are always appreciated by all.

  2. Reply October 10, 2018 / 11:19 BillSiteGround Team

    Yes, thank you for staying on top of these advances to make our sites as fast and secure as possible, and for keeping us informed.

  3. Reply October 11, 2018 / 14:18 JukkaSiteGround Team

    Thanks!

  4. Reply October 12, 2018 / 05:27 JohnRichardTLHSiteGround Team

    Great update!

    However, as of 11/12/18, we're still seeing TLS 1.2 on our https websites hosted at SiteGround, and even SiteGround's home page (https://SiteGround.com).

    I've confirmed my Computer & Browser is TLS 1.3 capable.
    Running Windows 10/1803;

    To Test:
    In GoogleChrome, go to https://istlsfastyet.com, F12, Security Tab, shows TLS 1.3
    In our websites & SiteGround.com, same steps reveal TLS 1.2

    Can you confirm that TLS 1.3 is enabled on all SiteGround Sites, or are you rolling it out? Is there anything we need to do in our Site Settings?

    Thanks

    • Reply October 12, 2018 / 05:48 Hristo PandjarovSiteGround Team

      SiteGround.com is hosted on a server infrastructure different than our shared packages, it's updated through a completely different deployment workflow and has a highly customized setup in order to accomodate all our needs.

      This said, TLS 1.3 Final is enabled on all our accounts. As I've mentioned in the blog post, what Google Chrome call TLS 1.3 is not the final version and you might get false checks. Here's an accurate test of my personal site hosted on a regular SiteGround account. There's nothing you need to do, but to wait for browsers to catch up and start supporting it natively 🙂

      https://dev.ssllabs.com/ssltest/analyze.html?d=pandjarov.com&hideResults=on

  5. Reply October 25, 2018 / 08:26 Eric McGraneSiteGround Team

    Siteground, leading the way as usual. Thanks for everything.

  6. Reply October 30, 2018 / 16:51 JackstinSiteGround Team

    Hey Hristo - This is awesome news.

    Unfortunately with the latest version of Chrome 70

    We are getting this error:
    ERR_SSL_VERSION_INTERFERENCE

    We have a support ticket in with the help desk and we can't seem to find a tech support agent to help mitigete this issue. Would you mind poking your head a support ticket #2892753 and see if you could shine some light on the matter?

    • Reply October 31, 2018 / 02:24 Hristo PandjarovSiteGround Team

      The problems are caused by a custom setting of your cloud server that you've requested year and a half ago. We've removed the support for TLS 1.0 since then. Please, check your ticket, it will be updated shortly with details on the subject. Generally, there's no issue with the TLS 1.3 implementation, but an old configuration that blocked it from working properly 🙂

  7. Reply November 16, 2018 / 19:51 JohnnyB RadSiteGround Team

    Hey Hristo:

    Came across this post. Thanks for sharing the info.

    I host a couple of sites with SG as well. Since you invite us to test pandjarov.com at Qualys Labs, I discovered that your site (as well as my own) do not have OCSP Stapling enabled, while TLS 1.3 is indeed enabled.

    Is SG rolling out OCSP Stapling, or is this a rule we should request support to implement?

    • Reply November 19, 2018 / 01:32 Hristo PandjarovSiteGround Team

      OCSP Stapling is enabled and working on all servers. It is the test you're performing that's not really correct. Note that the worker needs to have some requests to the site before it starts producing cached results. Here's a response from my site again 🙂

      OCSP response:
      ======================================
      OCSP Response Data:
      OCSP Response Status: successful (0x0)
      Response Type: Basic OCSP Response
      Version: 1 (0x0)
      Responder Id: EE5EFFFE85DB26C626FBD3698410AD1D0DD3EF58
      Produced At: Nov 19 06:46:07 2018 GMT
      Responses:
      Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 84D56BF8098BD307B766D8E1EBAD6596AA6B6761
      Issuer Key Hash: F5CDD53C0850F96A4F3AB797DA5683E669D268F7
      Serial Number: 5E52A7B7D1282F578E40DFDE
      Cert Status: good
      This Update: Nov 19 06:46:07 2018 GMT
      Next Update: Nov 23 06:46:07 2018 GMT

      If you're on linux or Mac, you can check it out through the terminal:

      for i in `seq 1 50`; do echo $i ; echo QUIT | openssl s_client -connect pandjarov.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update' ; done

Reply

* (Required)