During a web application penetration test you capture a TLS 1.2 handshake in Wireshark. Immediately after the server's Certificate message you notice an optional CertificateStatus message that carries a signed OCSP response. From a PKI standpoint, what key benefit is the web server gaining by including this message (OCSP stapling) in the handshake?
It eliminates the need to transmit intermediate CA certificates, thereby shortening the TLS handshake.
It prevents man-in-the-middle attacks by encrypting the certificate with the server's private key before transmission.
It lowers client latency and preserves user privacy by removing the need for clients to query the certificate authority for revocation status.
It provides perfect forward secrecy by embedding the server's ephemeral Diffie-Hellman parameters in the certificate.
OCSP stapling lets the server fetch a time-stamped revocation response from the certificate authority in advance and "staple" it to the TLS handshake. Because clients receive the OCSP data directly from the server, they no longer have to contact the CA themselves. This lowers connection latency (one less round-trip) and prevents the CA from seeing which specific sites a user visits, improving user privacy.
The distractors are incorrect for these reasons:
Embedding an OCSP response does not establish perfect forward secrecy; that is achieved with ephemeral key exchange methods such as ECDHE, not OCSP stapling.
Intermediate CA certificates may still need to be sent; stapling only adds revocation information, not the entire chain.
The certificate is always sent in plaintext; stapling does not encrypt it, so it is not a direct countermeasure to man-in-the-middle attacks.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is OCSP stapling?
Open an interactive chat with Bash
How does OCSP stapling improve user privacy?
Open an interactive chat with Bash
What is the difference between OCSP stapling and traditional OCSP?
Open an interactive chat with Bash
What is OCSP stapling?
Open an interactive chat with Bash
How does OCSP stapling enhance user privacy?
Open an interactive chat with Bash
Does OCSP stapling impact latency, and why?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .