Since our last SSL update in Q1, a lot of additional improvements have been made in the SSL/TLS Certificate industry that are further helping to promote safer and more secure practices with companies. Some of the top news includes the fact that all certificates are now being issued into a Certificate Transparency (CT) log and some browsers are making changes to their security indicators.
The goal of CT is:
- to make it impossible for a CA to issue a certificate without it being visible to the owner of that domain;
- to make all certificates public so that domain owners could detect when a Certificate Authority (CA) is miss-issuing or has been attacked/breached so that appropriate actions can be taken; and
- to protect users from being duped by mistakenly issues or miss-issued certificates.
This delivers full transparency.
The challenge is supporting the number of certificates that need to be logged. We now have peaks at well over a million a day and the number continues to grow. Based on the number of logs and those that have been disqualified, there is a risk that there will not be a sufficient number of logs accepting pre-certificates at the time CAs want to issue them.
To help combat this, Cloudflare, Google, and Digicert have developed “sharded” CT logs which help with log lifecycle and size management. By separating logs by certificate expiration date the log operator can put the log into read-only at the end of the year for which it’s configured. It provides a natural and planned log rotation that ensures the log will have a predetermined life which helps reduce log size. It appears that the industry will be moving towards sharded logs in the future.
Merkle Town was developed on top of the CT log ecosystem by cloudflare and provide useful charts in an easy to use dashboard.
April 30, 2018 marked the deadline for CT logging on all new certificates as mandated by Chrome. Although the deadline won’t be enforced until Chrome 68 (planned for release in July), any certificates issued after this date that are not served with Signed Certificate Timestamps (SCTs) will eventually show a full page warning.
After a delay in March due to the desire for further testing, ACMEv2 now supports Wildcard Certificates. ACMEv2 is not backwards compatible, so when getting a Wildcard Certificate from Let’s Encrypt, you will need to check your clients for ACMEv2 support.
Let’s Encrypt have also deployed an implementation of a new validation method to replace the vulnerable TLS-SNI-based method. This is a CA/Browser Forum BR 184.108.40.206.10 method where ACME enables domain validation using ALPN.
In other news, the ACME protocol has also entered final stages to become a standardized internet protocol.
PCI DSS Deadline Looms
Beginning June 30, 2018, PCI Data Security Standard (DSS) requires all sites processing credit cards to disable SSL and early TLS implementations (i.e. SSL 2.0 and 3.0, TLS 1.0). PCI DSS places an importance on strong cryptographic protocols as a way to protect card payment data and POS systems.
Although the new requirement doesn’t forbid usage of TLS 1.1, we recommend that you disable it as well since there are known security vulnerabilities. Everyone should be using TLS 1.2 or higher. For more explanation, check out our recent post - It’s Time to Disable TLS 1.0 (and All SSL Versions) If You Haven’t Already.
Browser Security Indicators Are Changing
Phase 3 of Google’s plan to change the security indicators for websites with SSL takes effect in July 2018. All HTTP websites from this date will be marked ‘Not Secure’.
On mobile the (i) icon will remain.
Apple has changed the way that EV Certificates are shown in Safari. The new look now includes just the domain name for the website instead of the company name. In the image below, the left is what it used to look like and the right shows how it looks today.
The left hand side is what the UI looks like now, the right hand side is what it will look like.
Other Browser Updates
TLS 1.3 support
On May 9, 2018, Firefox released version 60 of the browser which has draft-23 of the TLS 1.3 specification on by default. Chrome 66 also added support for draft-23 of TLS 1.3. Other major browsers still do not support TLS 1.3. Draft-28 was approved by IEFT on 21st March 2018.
Distrust of Certificates from Symantec root
Firefox 60 no longer trusts certificates issued before June 2016 with a Symantec root and Chrome applied a similar update in version 66 in April (and Apple will be doing the same this summer). Both Google and Mozilla plan to release updates in October 2018 that will then distrust all remaining Symantec-issued certificates. Apple is also planning a similar update.
According to Netcraft, there are a total of 436,000 Symantec certificates left, 168,000 valid on or after 16th October 2018 and 6,500 issued before June 2016. Apple also plans to distrust Symantec certificates issued before June 1, 2016 or after December 1, 2016. Certificates issued between June 1, 2016 and December 1, 2017 will be trusted if they comply with the Google CT policy. Full distrust is coming later.
Viewing Certificate Details in Edge
Microsoft Edge announced that they will be bringing a new feature into the Windows 10 update that will allow you to view certificate details within the browser – finally!
What’s In Store for Next Quarter?
Much preparation is being done to complete the distrust of Symantec’s root so if you know of anyone who will be affected, now is the time for them to start getting their roots changed over. Spread the news!
After the next Google update it will be interesting to see how encryption of internet traffic stats change, I predict a lot of people will see the ‘Not Secure’ sign and all CA’s will be busy trying to ensure the last group of domain owners complete their move to HTTPS.