Online Certificate Status Protocol (OCSP) and Port 80

ocsp

OCSP does not have to be on port 80. However, the URL for the OCSP service is specified in the certificates whose validity you are checking; if you want to run it on another port, you need to make sure that the certificates contain the proper port specification.

The reason why OCSP can be run on HTTP 80, rather than HTTPS, is that the OCSP responses are already signed by the OCSP server. The OCSP client will validate that the signature is authorized to sign OCSP responses for the CA that has issued the certificate it's checking; any MITM would make that validation fail - so adding an extra layer of encryption/authentication does not increase security, but does add complexity and increases possible failure modes.

As pointed out in a comment, running OCSP over HTTP does have the drawback that it's potentially possible for an attacker to intercept network traffic and see what certificates you are checking. However, they are still not able to change the contents of the response.

Related

wordpress wp-login.php page restriction by ip in nginx
Can I validate a large file download piecemeal over http
Significance of NOQUEUE: reject: RCPT in Postfix log?
Nested location doesn't work properly
how to pull docker image on ECR using cloudformation template
Automated software testing on real hardware
How to select all hosts except the inventory_hostname from a group?
LibSSH authentication bypass
Malware DNS A record points to my ip address
What is Load Balancer Warmup?
How to make `clamdscan` exclude folders and only log `--infected`?
Ubuntu Server with systemd - how to get a backtrace or coredump?