Chrome version 106 eliminates the need for an EV certificate

Summary: As of Chrome 106, Chrome will no longer be doing Online Certificate Status Protocol (OCSP) revocation checks by default for Extended Validation (EV) certificates. This led to a direct performance improvement for sites using an EV certification.

  • by
  • Published
  • Reading time ± 1 minute
  • Google Chrome
Chrome version 106 eliminates the need for an EV certificate

What is an Online Certificate Status Protocol?

Every time a browser connects to a secure domain (anything served over HTTPS), an SSL negotiation phase is required. The browser is attempting to connect securely to the server during this process. Several events must take place for this to occur:

It’s that last part, verifying the identity of the server, that we’re focused on here. If a site’s SSL certificate has been compromised, the certificate must be revoked. One of the ways this has been done is by performing OCSP revocation checks.

During an OCSP revocation check, the browser will send a request to an OCSP responder which will provide information about the certificate it is trying to check. The responder will then respond to the browser to let it know if the certificate can still be trusted. This process takes place during the SSL negotiation phase of the initial request, slowing down that process.

Where is the performance improvement coming from?

Chrome uses CRLSets instead of doing these revocation checks by default for most certificate types. However, Chrome (before version 106) always does the OCSP revocation check when loading EV certificates, which causes a long SSL negotiation time.

Firefox 105
firefox-105

In the example above an EV certificate is used. You can see that when the request for the homepage is made, during the SSL negotiation phase (purple bar), Chrome fires another request to OCSP to check if the certificate can still be trusted.

As you can see here, it’s not a cheap process, delaying the request itself from starting. All the delay gets factored into the SSL negotiation time for the connection to the main URL. When an EV certificate is used, the cost is paid every time a new connection is made to that domain.

Conclusion

Even though you don't have to do anything to get the improvements, now might be a good time to talk about getting rid of the expensive EV certificate. The revocation check was the last benefit that those certificates were supposed to have, and now that it's gone, you can probably safely remove them.

Share blog post