In 2019, the shared vision of Certificate Authorities (CAs) and web browsers began to reshape. While web browsers have long depended on CAs to vouch for the integrity of the digital certificates presented by sites, giants like Google and Mozilla have started to take security decisions into their own hands.
In any case, due to the ongoing world pandemic a slew of new deadline enforcement dates and initiatives suggest that 2020 is proving to be an even busier and more eventful year for CAs than the last. Let’s take a look.
Deprecating TLS 1.0 and 1.1 and preparing for TLS 1.2
One of the biggest stories of the year is that industry giants such as Google, Microsoft, Apple and Mozilla will no longer support Transport Layer Security (TLS) versions 1.0 and 1.1 as of March, 2020. Of course, this has been coming for some time, with the tech giants first outlining plans to phase out the outdated protocols in October 2018, citing known security vulnerabilities. Over 850,000 websites still use the old protocols including the web portals of major banks, news sites, e-commerce stores and even governments.
Interestingly, Microsoft has taken the unprecedented step of temporarily halting any deprecation enforcement of TLS 1.0 and 1.1 for Office 365 commercial customers, due to the ongoing pandemic. To help site owners who still have TLS 1.0 and 1.1 dependencies, the company has put together a guide explaining how to remove them. From here on, all client-server and browser-server combinations are advised to use TLS 1.2 or later to maintain connection to Office 365 services. Microsoft is not alone in making such concessions as the world grapples with Covid-19, though their suspension of deprecation enforcement is noteworthy: Office 365 is used by over a million companies, with 600,000 companies in the U.S. alone utilizing the Office suite software.
Apple limits SSL/TLS certificate lifetimes to 398 days
Apple has gone one step further in a bid to heighten web security for users, decreeing in February that its Safari browser will no longer accept new HTTPS certificates that expire more than 13 months from their creation date. This means that sites which use long-life SSL and TLS certificates issued after the cut-off point will provoke privacy errors in the Apple browser on all iOS and macOS devices. Not a good look for sites trying to improve their bounce rate, in other words.
The change comes into effect from September 1, 2020, and will affect only TLS server certificates issued from the Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS. Old certificates will have the same acceptable duration as previously, namely 825 days.
While the move will be applauded in some quarters, it does create more of a burden for site owners going forward, with certificate deployment, renewal and lifecycle management all becoming more onerous. Unless, that is, they choose to automate the process.
Chrome to block HTTP downloads
The merits of HTTPS vs HTTP have been repeated ad nauseam, but Google's April announcement that it would protect Chrome browsers from insecure downloads caught some by surprise. This will be a phased process, with the first step being issuing warnings concerning insecure downloads initiated on secure pages. Later, such downloads will be blocked entirely. High-risk file types such as executables will be prioritized, with subsequent Chrome releases covering more file types.
The next browser update, Chrome 83, is slated for June 2020, with 84 following in August and 85 in September. Google is encouraging all web developers to fully migrate to HTTPS to avoid falling foul of future restrictions.
Microsoft patches urgent Windows 10 vulnerability
As detailed in a short post in January, Microsoft introduced a security update to address a vulnerability in the way Windows CryptoAPI (Crypt32.dll), which handles cryptographic messaging functions, validates Elliptic Curve Cryptography (ECC) certificates. Microsoft moved quickly after the National Security Agency (NSA) flagged the potential for an attacker to use a spoofed code-signing certificate to sign a malicious executable and pretend the file was from a legitimate source. With millions of endpoints susceptible to attack, the patch couldn’t have been any more urgent.
DigiCert initiates Extended Validation SSL enhancement
Although organizations have long proved domain ownership by purchasing Extended Validation (EV) SSL certificates, DigiCert is on a mission to enhance standards that were, after all, developed in 2007 – a virtual lifetime ago given the speedy evolution of cyber threats. In tandem with several other CAs, DigiCert has proposed four enhancements to the existing validation process. They are as follows:
- Require that the CA check the certificate type in the CAA record and respect a CAA policy regarding certificate type prior to issuing.
- Include Legal Entity Identifiers (LEIs) in certificates.
- Develop a whitelist of approved data sources to validate EV certificates.
- Require CAs to verify a registered trademark/wordmark before issuing an EV certificate and include trademark and brand information in a certificate (as well as the source of validation).
Needless to say, the proposals are intended to make EV SSL stronger by ensuring a safer and more transparent browsing experience. Discussions are still underway. And there you have it: a detailed snapshot of the SSL/TLS certificate landscape as of May, 2020.