Rounding-up the latest developments in SSL/TLS for Q3, we explore Google’s BIMI pilot for logo branding in Gmail, plus Spotify’s August outage after a TLS certificate expiry, and follow up on the implications of the new shorter validity certificate requirements.
We also learn about a theoretical “Raccoon” attack vulnerability for TLS, and look back at the key discoveries in the NIST best practice TLS certificate management report.
Google email identity indicators as a part of security updates
Google is partnering with DigiCert and Entrust Datacard to launch a BIMI pilot for Gmail, as part of the G Suite security update. Brand Indicators for Message Identification will boost email security and allow companies to display their logo in the inbox, rather than the current simple first letter avatar. BIMI makes it far easier to spot verified emails and reduce fraud, increasing brand visibility and trust.
BIMI provides an email standard to display a verified brand logo next to the from name in authenticated emails. It isn’t an authentication protocol itself, however, and relies on two existing mechanisms: DMARC (Domain-based Message Authentication, Reporting, and Conformance), ensuring visibility and control over who can send from domains, and VMCs (Verified Mark Certificates), issued by Digicert or Entrust Datacard in this case as trusted third-parties, which authenticates an organization to others and displays a logo. In contrast to email signing certificates that authenticate and encrypt email for an individual user, VMCs get issued at the organization level, similar to SSL/TLS certificates for websites, helping organizations to fight misrepresentation of their brand.
BIMI effectively merges brand and email authentication capabilities, as Google highlighted in its announcement:
“Our BIMI pilot will enable organizations, who authenticate their emails using DMARC, to validate ownership of their corporate logos and securely transmit them to Google. Once these authenticated emails pass all of our other anti-abuse checks, Gmail will start displaying the logo in existing avatar slots in the Gmail UI.”
Google’s move follows Yahoo and AOL in adopting BIMI, in the latest boost to industry email security standards.
Expired TLS certificate takes down Spotify
In August, Spotify went down for over an hour due to an expired certificate. The outage had a widespread impact on its user base who experienced “can’t play the current song” errors for the duration of the downtime.
Spotify only provided a generic response to the outage. However, a Cloudflare engineer noticed that its TLS certificate had expired, allowing the service to resume minutes after the certificate was renewed, and demonstrating the importance of avoiding a lapse in encryption.
2-year certificate availability ended on September 1, 2020
As if to emphasize the importance of avoiding certificate expiry, just as the Spotify outage was happening, SSL vendors were grappling with the end of two-year public TLS certificates. This change was due to an industry-wide requirement set by Apple, Google, and Mozilla, stating that any two-year TLS certificate issued after August 31, 2020 would be distrusted by their browsers.
1-year certificates are here
So, the era of one-year certificates has begun. From September 1, certificates have a maximum validity of 398 days, just over one year. Shorter certificate validity periods can cause manual administration difficulties, driving the need for some form of automation. It’s a challenge to track certificates manually, so managing them is increasingly prone to human error. Remaining compliant with industry standards and upgrade requirements is difficult at scale, with organizations only too aware that one expired TLS certificate can cause a website to go down for hours or days, significantly impacting reputation and revenue.
As a solution, leading certificate provider DigiCert reconfirmed its support for the new industry standard and best practices in automated management, alongside its multi-year coverage to help customers transition to a shorter validity period. Multi-year plans allow customers to place up to 6-year TLS/SSL certificate orders. The certificates will still need an annual renewal as per new industry guidelines, but retain some of the benefits of longer-term arrangements for resellers and customers alike.
Raccoon attack reveals a vulnerability in TLS 1.2 encryption
In September, a team of academics also disclosed a theoretical “Raccoon” attack that would allow hackers to break TLS encryption under certain conditions. Though such conditions for an attack would be rare, and an exploit extremely difficult, it could decrypt the HTTPS connection and access sensitive communications.
The Raccoon attack is a timing attack where malicious third-parties measure the time taken to perform known cryptographic operations, determining parts of the algorithm to target the Diffie-Hellman key-exchange process and recover information. All servers that use this key-exchange process and TLS 1.2 and below are considered vulnerable.
However, it is a server-side attack that is not viable on a browser client, so an attacker would need to be close to the target server to perform the high precision timing measurements, making it impractical. Nonetheless, some vendors have done their due diligence and released patches.
NIST report: best practice for TLS certificate management
The National Institute of Standards and Technology also released a comprehensive report looking at the challenges of TLS server certificate management. We explore more detailed highlights in this blog post, where you’ll discover:
- Why most companies employ sub-optimal certificate management practices.
- The risk posed by improperly managed TLS certificates.
- Best practices for tackling the problem head-on.
- How to create a certificate management action plan.
Don’t let your TLS certificates become an administrative and security nightmare. Make an action plan, periodically review your progress, and use a certificate lifecycle management platform on which you can rely. That way, you can focus on growing your business in the knowledge that your certificates are safe, sound, and all accounted for.