When surfing to an https protected website, most desktop browsers today make use of the Online Certificate Status Protocol (OCSP) to check the validity of the authentication certificate that was sent by the web site. There is lots of debate about whether this feature is useful or not but there's also a privacy aspect to this. Let me quote from Wikipedia:
"OCSP checking also impairs privacy, since it requires the client to contact a third party (the CA) to confirm certificate validity. A way to verify validity without disclosing browsing behavior would be desirable for some groups of users."
I guess I'm part of this group which is why I had a closer look at the OCSP Stapling feature after upgrading my Owncloud server to Ubuntu 14.04 which included an Apache web server update that supports the feature.
What is OCSP Stapling And How Is It Configured in Apache and Nginx?
In short, OCSP stapling means that the web server requests the OCSP information from the CA's OCSP server and then includes it as part of the TLS session establishment when a web browser sends a request for an https encrypted page. The advantage is that the web browser no longer has to send a request to the Certificate Authority to check the validity of the certificate that it has received from the website which in turn protects my privacy. Agreed, this one's part of the last 5% when it comes to privacy protection but every bit counts… Configuring OCSP stapling is actually quite straight forward and this post over at Digitalocean goes into the details including how to verify that everything is working.
Works Well On The Desktop But Android Doesn't Care
On the desktop, both Firefox and Thunderbird, the two programs I use most together with my Owncloud at home make use of the feature and no longer reach out to the Certificate Authority. A Wireshark trace nicely showed how the OCSP information is included during the TLS session establishment. Mission accomplished.
On the mobile side, Android doesn't seem to care at all about OCSP. That should probably not be very surprising as Google has disabled OCSP checking already back in 2012 in their Chrome desktop browser as well. No privacy issues here, good.
An interesting twist is the Opera Mobile browser on Android: When accessing my website it requests the OCSP status information during TLS session establishment and receives it. When going to another https site, however, which does not supply OCSP status information, there is no separate OCSP check as a consequence. That kind of defeats the purpose. But at least there's no privacy issue here.