The first three months have whizzed past and the cybersecurity industry has seen its fair share of news in that time. That’s why I think it’s appropriate to end the first quarter with a friendly update on the biggest SSL changes.
By sharing these updates with our valued customers and readers, I hope this will strengthen the knowledge of current certificate practices and sharpen the senses when it comes to purchasing and managing digital certificates.
ACME TLS-SNI-01 Validation Method Vulnerability
On January 9, 2018, Let’s Encrypt published a report on a vulnerability they discovered with the ACME TLS-SNI-01 validation method that could allow users on shared hosting or CDNs to obtain certificates for domains they don’t control when the domain resolves to the same IP address as a domain the attacker controls.
Let’s Encrypt quickly disabled the function, initially as a temporary measure, but after learning that many other hosting software might be affected, they decided to permanently disable it for most new issuances.
We also used a domain validation method similar to TLS-SNI-01 and when the ACME vulnerability was announced, we also immediately disabled it.
In the end, both Methods 9 (domain validation using a test certificate), and 10 (TLS-SNI-01) are no longer permitted unless Google-approved mitigations have been put in place. The standards groups are busy working on TLS-ALPN-01 to replace TLS-SNI-01.
Domain Validation Methods 1 and 5 Removed
Google has been reviewing some of the manual Domain Validation methods and providing their recommendations to remove them to the community with an effective date as early as April 2018. Their belief is that these manual methods, as they existed, were weak and prone to failure.
Ballot 218 was introduced into the CA/B Forum for removal of validation methods 1 and 5 with an effective date of August 2018, which provided CAs sufficient time to remove these methods from their validation practices and re-validate all domains using another method. There was great debate at the Validation Summit on March 6th, the first day of the CA/Browser Forum face –to-face meeting in Reston, VA, on how to define manual domain validation methods with sufficient security. We may see the introduction of an improved manual method in the future since some CAs relied heavily on these methods.
The End of Three Year Certificates
Effective March 1, 2018, the CA/B Forum baseline requirements reduced the maximum validity period for SSL/TLS Certificates to 825 days (or 27 months). From February 26, 2018, GlobalSign ceased to issue three year publicly trusted SSL Certificates in accordance with this new policy.
If you require longer validity periods, GlobalSign offers IntranetSSL (non-publicly trusted SSL certificates) that can be issued with validity periods up to 5 years.
Read our previous blog post for more information about why validity periods were reduced.
Mandatory Certificate Transparency (CT) is Coming in April
Google is mandating compliance with their CT Policy by April 30th. In the interest of safety and security on the internet, they mandate the public logging of SSL Certificates to Certificate Transparency logs. Every SSL certificate issued after April 30th, 2018 must comply with the Google CT Policy or it won’t be trusted by Chrome. Any certificate issued prior to this date will be trusted.
GlobalSign has updated their entire SSL product line to be compliant with the Google CT policy. EV certificates have been compliant since January 1, 2015, DV and AlphaSSL since August 30th, 2016 and OV since November 6th, 2017.
To learn more about CT, check out our overview post.
Last Chance to Update Symantec Certificates
Some key dates in the Google plan to distrust Symantec Certificates (including Thawte, GeoTrust and Verisign) are rapidly approaching. There are two particular deadlines you should be paying attention too.
- Symantec-branded certificates issued prior to 1st June 2016, will not be trusted as of Chrome 66, scheduled for April 2018, and they will not be trusted in Firefox 60, scheduled for 9th May 2018.
- ALL Symantec-branded certificates issued prior to December 1, 2017 will stop working in Chrome 70 planned for October 2018.
According to TechTarget, the first release will render as many as 11,000 certificates untrusted, while the October release could render a whopping 91,000 certificates untrusted. If it feels like the deadlines are getting too close for comfort, it’s probably because they are. But don’t fret, if you’re worried about the number of Symantec certificates you have, check out our Certificate Inventory Tool to find all certificates you own and get them changed over GlobalSign.
TLS 1.3 Is Coming!
On December 6, 2017, Google Chrome 63 was released, which enabled TLS 1.3 for Gmail. This is the first stable release where Chrome has supported TLS 1.3 since they have been experimenting in beta.
The IETF and security community has been working hard to document and test incremental versions of TLS 1.3 which are secure and backward compatible since 2014. The list of changes per release keeps getting smaller as they move to formalize the RFC soon and we look forward to the improvements in TLS 1.3!
Trustico and DigiCert Revoke More than 20,000 Certificates
If you haven’t already caught the news, the tail end of this quarter saw Trustico’s CEO email over 20,000 customer’s private keys in a ZIP file to DigiCert in an attempt to have them revoked. It is unclear exactly why this was done. Some suggest it was an attempt to leave the DigiCert root and move over to Comodo, but this could have been done without revocation.
This story only highlighted the need for more control and vision into CA’s partner activities. GlobalSign’s compliance team quickly created and sent a survey out to all partners to find out about their practices regarding private keys and we will be looking at our partner contracts and training programs to better educate partners about security practices.
This is a vital next step in PKI. If partners cannot adhere to the strict standards we set for ourselves, they should not be able to resell SSL Certificates.
What’s In Store for Next Quarter?
We’re off to a great start already and I expect we’ll have even more to report next quarter. We will find out what happens when Chrome starts enforcing CT and we’ll see the impact when the first batch of Symantec certificates are no longer trusted. We’re also sure to see some improvements in Domain Validation methods coming out of the Validation Summit.