News, hot topics

May 2, 2017

Latest VCC Live Client Update Brings Under-the-hood Improvements

VCC Live OCSP Stapling

The latest VCC Live client update includes under-the-hood improvements: faster client startup times, less data traffic and less time spent tweaking your firewall settings.

At VCC Live we’re committed to bringing you unparalleled services and features in our software package. That’s why we regularly release under-the-hood updates, including speed and reliability improvements that are often not visible to our users. Our latest update introduces the OCSP (Online Certificate Status Protocol) stapling method for checking certificate validity in the VCC Live client, bringing noticeable improvements to performance levels.

The VCC Live client uses cryptographic protocols -in this case TLS 1.2 (Transport Layer Security) – to establish a secure connection and communication over a computer network. Protocols use x.509 certificates, which must be valid at the time of use. Certificates contain a public key as well as an identity that is signed by a certificate authority. When certificates are signed, a service that utilises the certificate’s public key can establish a secure connection.

A certificate authority may refuse to sign a certificate for various reasons, such as evidence of a security breach attack or possible information leakage. Therefore, the VCC Live client is required to request a certificate validation from the certificate authority’s OCSP server (ocs.godaddy.com) at each start up.

There are a number of ways to determine if a certificate is valid. The simplest (although not 100% reliable) method is to check the certificate’s validity date. Alternatively, the owner of the certificate can inform the certificate authority if the certificate is no longer valid.  Certificate authorities can also confirm the validation status of a certificate via the OCSP protocol. Or, as certificates have an expiry date, validity can be revoked using protocols. Once the validation request has been responded to, the VCC Live client can tell if the certificate is valid or invalid.

In VCC Live’s case, TLS protocol supports an approach in which the VCC server itself can provide validation information to the client, in a way that OCSP details remain unchanged and valid. OCSP stapling uses this method.

By working in this way, the VCC Live client doesn’t get overloaded while handling validation requests. The client can start up more quickly and generate less data traffic. Using the OCSP stapling method also eliminates the need for firewall rules for opening and forwarding IPs/ports to the OCSP server (which was previously required), thus making setting up the VCL environment even simpler. This firewall rule can be revoked by the system administrator.