Look at auto-enable OCSP Stapling

From Internet: One recommendation I would have is to auto-enable OCSP Stapling. The Online Certificate Status Protocol (OCSP) is very problematic as it leads both to privacy and security concerns (e.g. watering hole attacks). OCSP basically mirrors the behavioral pattern and the IP adresses of visitors of specific websites to issuing CA's. These then become an attractive attack vector (especially ones like StartSSL).

Unless OCSP stapling is in place, a client will set up an unmitigated session to a third party server every time to check the revocation status of X.509 digital certificates. OCSP stapling allows the presenter of a certificate to present a short lived proof that the certificate is good, so no information is leaked to the issuing certificate authority (CA). Who visits your website when should be of no concern to a Certificate Authority...