The Case for Prefetching and Prevalidating TLS Server Certificates.

A key bottleneck in a full TLS handshake is the need to fetch and validate the server certificate before establishing a secure connection. We propose a mechanism by which a browser can prefetch and prevalidate server certificates so that by the time the user clicks on an HTTPS link, the server’s certificate is immediately ready to be used. Combining this with a recent proposal called Snap Start reduces the TLS handshake to zero round trips. Prefetching and prevalidating certificates improves web security by making it less costly for websites to enable TLS and by removing time pressure from the certificate validation process. We implemented prefetching and prevalidation and studied the effects of four different prefetching strategies on server performance. Along the way we conducted a study of OCSP, a certificate validation mechanism. This data enabled us to evaluate the effectiveness of prefetching and prevalidating in reducing TLS handshake latency. In some cases we show a factor of four speed-up over a full TLS handshake.