Is your 3rd Party SSL key trusted ?

Is your 3rd Party SSL key trusted ?

Today I got aware of an issue that might effect a bunch of websites.

Imagine you have a shop and imagine you do some affiliate marketing. This means you or your marketeer have to include a bunch of 3rd Party into your website. Even in the payment process where the „conversion funnel“ recognises the click origin.

Now imagine one – or more – of these content partners participating in the SSL secured process of the payment do not have a valid SSL key.

Will this effect your business ?
The answer is: YES

Modern Browsers double check the validity of SSL keys by asking the key originator if this key is valid (Wikipedia on OCSP).
This means: For every 3rd party the browser checks if their key is valid. If you do a lot of affiliate programs, this could be quiet a few. A few OCSP checks definiatly cause longer load times. Even one check could cause longer load times. As long as the key is not approved the content will not be loaded by the browser.

Performance issued by OCSP

OCSP takes a partly very long to be processed - depending on the SSL key originators ability to answer the browsers request for key aproval

Even more important is what happens if one or more of the 3rd parties key is not trusted or its validity can not be proved (due to OCSP Server outage)!
Usually the Browser will abort the connection (to the affiliates server) -and the affiliate will not get recognised.

You might have sometimes HTTPWatch open or work with Firebug and you have seen something like „HTTP 200 abort“. The web client fires an abort if the content is not coming with a valid key.

Even more worse (depends on where the 3rd party content is called) the page (your page) will return an Security Error and the user can not buy what he was supposed to by (from you).

(Check here how a failure can look like)

It is not a bad decision to permanently keep an eye on this these days where SSL key vendors being under permanent DoS attacks or being hacked.