konklone
commented
8 years ago Has this been raised with Akamai or others?
Closed konklone closed 6 years ago
konklone
commented
8 years ago Has this been raised with Akamai or others?
tdlowden
commented
8 years ago Thanks for resurfacing. I'm looking into it now.
konklone
commented
6 years ago This is resolved now that we've moved to CloudFront. You can see this here:
https://www.ssllabs.com/ssltest/analyze.html?d=dap.digitalgov.gov&s=13.35.121.31&latest
Without OCSP stapling, visitors to DAP-enabled sites that are using OCSP-supporting browsers (at least Firefox and IE, not Chrome) will all ping Symantec to check to see if dap.digitalgov.gov's certificate is revoked. This shares large-scale user browsing behavior with Symantec, not a desired privacy outcome of the DAP.
Enabling OCSP stapling means that revocation information will be included ("stapled") in the initial HTTPS connection that browsers make to dap.digitalgov.gov, so that browsers don't need to make an additional connection to the CA to get this information. This also has the effect of transferring that information over HTTPS (the original connection) rather than HTTP (which OCSP connections generally use).