Could be a malware problem
https://community.norton.com/en/forums/ocsp-digicert-com
Wim
Well that query flag was set in my Waterfox but I need to check Chromium and Firefox for Android to see if it does the same. Strange that the only delay is on the forum but no other site I visit!
Stuart
PS I am unable to find and equivalent flag in Chromium.
Just tried this on Waterfox and Windows 7. With the OSCP flag off I still see 39 seconds delay before the forum server actually responds initially.
Stuart
As there are no other postings with the same problem, there must be something unique in your setup.
The normal message for a valid oscp request is short and fast.
The lifetime of the answer in the response header is more then 24 hours.
If I understand correctly, it seems that all your browsers on different devices have that long delay.
So there must be another device between your computer and the forum-server responsible for this delay.
Maybe you are running your own DNS server, or a modified router or ??
Could you test to access the forum with your laptop/smartphone/tablet somewhere in an other network from another provider?
Wim
OSCP is used to check that the SSL certificate presented by the forum is valid and hasn’t been revoked. That’s an expected process because your browser needs to know if a certificate is ‘good’ or not. What is puzzling is why this seems to happen for your browser when you’ve not used the forum for a while, why the OSCP site takes so long to reply and therefore slows your forum access down, and why it only seems to be happening for you. I’m guessing that once validated the certificate is reported as ‘good’ for a period and so doesn’t need checking again so your access then speeds up.
I don’t know much about OSCP though. I have come across it professionally (oddly only within the last week!) but as it’s expected traffic and seemed to work as intended I didn’t probe it too much.
Hmmm, there’s something very weird going on!
The SSL certificates used by weather-watch.com are issued by LetsEncrypt and their revocation status is checked by OCSP: http://ocsp.int-x3.letsencrypt.org. So that’s where your browser should be going to. Digicert do provide certificates but not for LetsEncrypt and I don’t use them. So I don’t understand why your browser would be going anywhere near oscp.digicert.com when you access the forum!
Bed time now but I’ll hopefully have some time tomorrow evening to think about this some more.
the Q then needs to be asked what browser is used and what OS
Also what DNS is being used.
I’m using Chrome on Windows 10 and on Android.
My DNS forwarder on my router is Google’s 8.8.8.8 and 8.8.4.4.
I notice the slow down of about 10 seconds every time on initial visit to the forum.
I think broadstairs uses a browser running on linux
and so that is the difference
…and AV etc?
Latest Chrome on Win 7
DNS
1.1.1.1 - Cloudflare
8.8.4.4 - Google
ESET NOD32
Not suffering delays.
One other thing to consider is what people consider as their starting page on the forum. Some people might always start a new browser window and not keep sessions going so they start at the forum index. Others (like me) tend to keep forum tabs open for days/weeks/months so the last viewed page will be the first thing displayed.
Why might this be important? As far as I know (someone will prove me wrong!) the forum itself only uses components served from the weather-watch.com server which uses a LetsEncrypt SSL certificate. However, many users have banners in their profile (it’s allowed and I’m not looking to get rid of them). The banners can include images from the user’s web site, or indeed any web site, and these can be HTTPS URLs. So if you restart on a page that has a HTTPS banner then you might end up checking the SSL status for that site as part of the page display. I don’t know why this would be the first thing checked though…I’m just trying to think of any reasons for doing an OSCP check against a SSL certificate provider that the forum doesn’t use and it’s also a mystery why the Digicert OSCP lookup takes so long.
Hmmm, having typed that…I wonder if the forum’s LetsEncrypt certificate is being checked against Digicert for some reason. Digicert might be slow to respond to enquiries for certificates it didn’t issue. I haven’t a clue whether this is possible though, nor why it would happen for Stuart and not apparently any (many) others.
Searching around I’ve found other references to slow first time access to web sites related to with OSCP and digicert.com. No definitive answers so far to why and I still don’t understand why digicert.com is involved in the first place. Time to go to work now so no more time to investigate.
I have the problem on a mix of OSes (linux, Android & Windows 7) and a mix of browsers (Waterfox, Firefox & Chromium), DNS is set recently having run DNSBench and made no difference, besides the message is always waiting for forum which means DNS is finished.
Stuart
Aha! According to the internet “Google does not use OCSP servers or CRL lists, instead Chrome simply checks its own CRLSet for certificate status when visiting a secure website”.
Just now accessing the forum using Firefox on Android and it was back to normal! Will see later what happens on Linux.
Stuart
I just changed my DNS forwarding on my router from 8.8.8.8 to 1.1.1.1.
I’ll report back if this makes a difference.
I just tried a ping to the forum url and the dns response was pretty instant so I doubt dns has anything to do with my issue.
Stuart
I agree. And changing my DNS to 1.1.1.1 from 8.8.8.8 did not make a difference. I’m still noticing a delay.
@galfert: I assume you are using Chrome? If you open Developer Tools, Security, and then access the forum, what does it show for the issuer of the certificate?
This morning it too 8 seconds to open the main page using Waterfox on Linux! So it looks to me that things have improved. I also found out yesterday that TalkTalk and a couple of others had problems caused by Yahoo and although that was hitting their email systems (which I dont use) TalkTalk is my ISP and I’m wondering if there was more to this issue than was publicised. Anyway right now on both Android and Linux it seems much better. Lets hope it continues.
Stuart