we are a news website with several million PIs/day. In the course of migrating to HTTPS we are considering using Let’s Encrypt as our CA (because we like the idea and want to promote it). We are fine with ACME and DV but one concern we have not resolved yet is OCSP in terms of performance and portability. If we would stick to stapling (maybe even must-staple) we would limit ourselves to server software that correctly implements it which would rule out some options for us - especially Cloud Load balancers and some CDNs. If we want to retain the option to run it without stapling (which we’d like to) we would have to be able to rely on our CA’s OCSP responders to handle even our peak traffic which can be quite a lot. Our question is: Do you have any hints/best practices/Big X already uses Let’s Encrypt/do’s and dont’s related to OCSP performance and deployment for us? Any help is very much appreciated.
BTW: We know these issues are not specific to Let’s Encrypt but see them as something we’d have to ask any CA we choose.
Let’s Encrypt periodically generates OCSP responses and caches them with help of the Akamai CDN.
So performance wise Let’s Encrypt is depending on Akamais services for OCSP respnses.
Any service can and will occasionally go down (hopefully not much!), but Akamai is one of the top CDNs, so the Let’s Encrypt OCSP service should be able to handle whatever load you throw at it.
For what it’s worth, there are a lot of popular websites using Let’s Encrypt. (Warning: It’s a list of domain names. Some of them are NSFW.)
Thanks a lot for your replies. Performance-wise this is good to hear. Convince-the-management-wise it’s another story. For a reputed newspaper it is not a very persuasive argument to be in good company with xhamster, Pirate Bay and Pornhub
No Comodo certificate for you then.
The left image is Let's Encrypt...
Oh, my bad! Thanks for clearing this up!
Honestly, though, any large Internet infrastructure provider is going to have clients you don’t like.
There aren’t that many big CAs.
Sure. But the question “does large infrastructure X have clients similar to ourselves” is relevant in some none-technical ways - and for Let’s Encrypt I couldn’t find any yet.
Maybe @cpu or @jsha knows a way to ask Akamai for some statistics about the OCSP volumes that they deal with on behalf of LE? Or is Akamai already sharing that data with LE directly?
We served about 2.25 billion OCSP responses yesterday, so we should be more than able to handle the load. In terms of high-visibility sites that use Let's Encrypt,
login.gov uses us, as well as several NASA subdomains. Also, Squarespace, Wix, and WordPress.com (among others) use Let's Encrypt for every domain they host. Those tend not to be huge domains, but overall it adds up to a huge amount of traffic.
It seems like you've got most of the info; OCSP Stapling is nice for performance and privacy, but not all software implements it correctly. If you do it, make sure your software prefetches responses and only serves currently valid ones.
@schoen, @jsha: Thanks for your answers - that helps a lot!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.