Apple forces industry to adopt one-year HTTPS certificates

Apple forces industry to adopt one-year HTTPS certificates Cybersecurity

A decision taken unilaterally by Apple in February 2020 had an impact on the browser landscape and forced the CA industry to accept a new default lifetime of 398 days for TLS certificates.

Following Apple’s announcement, Mozilla and Google have announced that they want to apply the same rule in their browsers.

As of September 1, 2020, browsers and devices from Apple, Google and Mozilla will display errors for new TLS certificates that have a lifespan of more than 398 days.

This decision is important because it changes not only the functioning of an essential part of the Internet – TLS certificates – but also because it breaks with normal industry practices and cooperation between browsers and certification authorities. .

The CA / B forum and the lifetime of the TLS certificate

Known as the CA / B Forum, the cooperative organization is an informal group made up of certification authorities (CAs), companies that issue TLS certificates used to support HTTPS traffic, and browser publishers. .

Since 2005, this group has established rules on how TLS certificates are to be issued and how browsers are expected to manage and validate them.

Navigators and certification authorities usually discussed the rules to come until they reached common ground, and then adopted the rules that all members had implemented.

However, during its 15 years of history, there has been one subject that has always caused a stir whenever it has been mentioned: the lifespan of TLS certificates.

The lifespan of TLS certificates started at eight years, and over the years, browser vendors have reduced it to five, then three, and then two.

The previous change occurred in March 2018, when browser manufacturers attempted to reduce the lifespan of SSL certificates from three to one year, but a compromise was finally found over a lifespan of two years after a aggressive reaction from certification authorities.

But barely a year has passed and the browser publishers have returned to the charge, much to the dismay of the certification authorities, who, at that time, thought that they had reached a compromise and had put the problem next to.

As ZDNet reported last summer, browser providers have again attempted to extend the lifetime of TLS certificates to one year. Voting on this proposal, called by Google, failed in September 2019. While the proposal won the support of 100% of browser publishers, only 35% of certification authorities voted in favor of this measure.

Browser providers ignore CA / B forum

But in February, Apple broke the standard CA / B Forum procedure. Instead of calling for a vote, Apple simply announced its decision to implement a lifetime of 398 days on its devices, regardless of what the CA / B Forum control authorities thought.

Two weeks later, Mozilla announced the same thing, and earlier this month Google also followed suit.

This is a show of force by browser editors, who thus assert their control over the CA / B and over the HTTPS ecosystem. This relegates the certification authorities to the role of simple participants with no real power.

This development was anticipated by HashedOut, an information site dedicated to the CA industry.

“If the CAs vote against this measure [le scrutin de septembre 2019], it is possible that browsers act unilaterally and still impose the change, “wrote the site in August 2019, a month before the vote.

“It is not unprecedented, but it has never happened on an issue that is traditionally as collegial as that,” he added. “If this is the case, it becomes fair to ask what is the interest of the CA / B forum. From this point of view, the browsers would govern essentially by decree and the whole exercise would only be a farce.”

Why browser vendors want shorter TLS certificates

For the uninitiated, it all sounds like a stupid technical drama and a power game. However, there is a reason why browser vendors have gone to great lengths for shorter TLS certificates.

The main reason is that bad TLS certificates are eliminated faster.

The standard is that once a TLS certificate has been used by malware, phishing, or other operations, the certificate must be revoked by the certification authorities.

However, the certificate revocation process has been a sack of nodes for years: very few certification authorities revoke certificates on time and bad certificates remain valid for years, allowing malicious actors to use and reuse the same certificate for several operations.

Browser vendors have argued that by reducing the lifespan of TLS certificates, these certificates will become invalid more quickly, even if issued by certification authorities that do not follow good practice.

In addition, there is also the problem of decrypting traffic. At some point in the future, browser vendors anticipate that malicious actors will be able to decrypt the HTTPS traffic they log today.

By securing traffic with shorter certificates, browser manufacturers hope to make this process more resource intensive for attackers.

Authorities bow out, reluctantly

Certification authorities are fighting against shorter lifetimes because they believe that none of these issues really make a difference. They believe that malware operators tend to abandon TLS certificates after using them once, especially since many companies provide free TLS certificates under various offers and programs.

Shorter lifespans simply create more work for their IT teams and change industry standards which should not be the case. The standards are in fact designed to change over the course of a month.

However, the issue has been decided and the certification authorities are far from satisfied with the way the whole process has gone. At a CA B forum meeting in May 2020, some CAs provided public responses to Apple’s decision, and most did not have a particularly positive opinion.

Actalis said “whether he likes it or not”, they “are forced to comply.”

D-TRUST, another certification authority, also said it was also forced to comply with this new TLS lifespan, but made it clear that they saw “no gain in security or other benefits by shortening the lifetime of certificate “.

Telia described it as “an unnecessary burden on our community”.

And the answers continue, in the same passive-aggressive tone of “yes, we will, but we are not satisfied with it”.



Rate article