Beware: Changes to HTTPS Certificate Requirements
This is a follow up to yesterday’s newsletter alert and sorry, it is a bit technical, but I will try to make it as untechnical as possible.
Up to a few years ago, if you ran a website, you could buy an HTTPS (also known as a TLS or SSL) certificate that didn’t expire for 10 years. The problem is that if something happened, a malicious actor could continue to use that certificate and masquerade as a legitimate website owner, possibly for an additional 9 and half years.
There was a certificate revocation process to stop compromised certificates from being used any more, but it never really worked.
As a result, a few years ago, the board that oversees the browser makers (called the CA/Browser Forum) and the certificate authorities that issue certificates reduced the allowed lifetime for a certificate to three years. This was a lot better than 10 years, but still a malicious actor could use a compromised certificate for several years.
As the CA/Browser Forum continued to wrestle with how to deal with compromised certificates, they invented something called OCSP or the Online Certificate Status Protocol. The idea is that the user’s browser could look inside the certificate to find the OCSP web site that the certificate creator runs and a browser can use that webiste to see if a certificate is still good. The problem is that this process doubles the number of requests that is required in order to load a web page. For example, as I write this, the home page of Fox news requires 84 separate calls just to load that one page. Some might be an image or a video or it could be some code. If you have to check to see if the certificate for each of these loads is valid, now you have to make 168 calls, significantly increasing the time to display the results to the user.
And, what do if that web site is down, overloaded or takes too long to respond? Do you not display the page?
During this time the CA/Browser forum reduced the allowed lifetime of a certificate to just two years. Still a bad actor can do damage for a year or more, but each time, we reduce the window for malicious activity.
Then they came up with yet another standard called OCSP Stapling. With stapling, the website owner is responsible for checking to see if the certificate is still valid. A website will get an OCSP certificate from the certificate authority say every few hours. That is then “stapled”, securely, to the HTTPS certificate that is sent to the user’s browser. When there is, say, an hour left in the life of the OCSP certificate, the website owner orders a new one. It has an hour, say, to get it and that is an eternity in browser time. For a while not all browsers understood stapling but now they do.
BUT, there is nothing to force a web site to support either OCSP or STAPLING and many do not support either.
Sometime along this time, came Let’s Encrypt. Let’s Encrypt offers a lower security (but okay for many users) certificate, but it is free and it only lasts 90 days before it expires. Now we have really reduced the bad actor’s window of opportunity.
But Let’s Encrypt came with a new standard called ACME (this has nothing to do with the Road Runner 🙂 ). With ACME, once you get Let’s encrypt installed on your server, it AUTOMATICALLY renewed itself every 90 days. This completely eliminated the work for administrators to manage and Let’s Encrypt has now issued a BILLION certificates.
Of course the certificate authorities aren’t thrilled with someone giving away their product for free, even if it is a slightly lower security product.
There was an effort in February to reduce the lifetime of certificates to one year, but it failed to get approved at the CA/Browser Forum meeting. Administrators and certificate authorities complained about the workload, but if everyone implemented ACME or something like it, that problem goes away.
OK, so now you are up to date. Fast forward to 2020.
Like Google, Microsoft and others, Apple has a lot of clout. After the move to reduce the certificate life to one year failed earlier this year, Apple said you guys can do whatever you want, but we are not going to display any web page that has a certificate (and this is important) THAT WAS ISSUED AFTER SEPTEMBER 1, 2020 AND HAS A LIFETIME OF MORE THAN A YEAR PLUS A MONTH GRACE PERIOD.
This means that if you have a new certificate that has a two year life and someone visits your website from an iPhone, iPad or Mac after September 1, they will get an error message.
So basically, Apple forced the issue.
Once this was a done deal, Google Dogpiled.
This means that if you get a new certificate with a two year life after September one, about 80% of the world’s users will no longer be able to get to your website.
THIS is why the change is kind of important.
Got questions? Contact us. Credit: ZDNet