Someone from a major aerospace manufacturer asked me for some cybersecurity assistance a few months ago. A security audit had resulted in a worrying but mystifying warning about SSL certificates. Their secure web site would cease functioning in just a few days. We fixed that, but similar deadlines are approaching over the next two years for anyone using HTTPS.
Google has announced that they will soon rank HTTPS pages higher in search results. Everyone wants to appear high in the results. So, many organizations are moving to HTTPS across their web sites, not just those pages with obvious security concerns.
In order to maintain your SSL/TLS certificates, you must monitor two things.
First, certificate expiration.
Second, up-to-date cryptography and protocols.
Certificate authorities want to make money. We would expect them to contact you. After all, they want to keep customers happy and sell more certificates. But we can’t simply trust them to catch everything.
The problem is that some things have been changing faster than certificates roll over. Google, Mozilla, and Microsoft stopped supporting certificates based on SHA-1 between January and March 2017. A lot of sites used certificates based on SHA-1/RSA digital signatures. Those certificates were still valid according to the calendar. However, the Chrome, Firefox, Explorer, and Edge browsers no longer honored those certificates.
Another organization I work with was caught unaware. Things were worse for them. Many of their processes were tied into IBM Notes. They were running an older version that could not handle digital signatures based on SHA-256. They could quickly upgrade the certificates, but they couldn’t use them in their web sites. That is, not until they had migrated everything to a newer version of Notes.
The next big deadline was September 7, 2017. That’s the date that Certificate Authority Authorization or CAA must be supported by CAs (or Certificate Authorities). Qualys has a good explanation. They compare CAA and HPKP (or HTTP Public Key Pinning), and show that CAA requires just one DNS record.
Then, after March 2018 new SSL certificates from all CAs will be limited to a maximum validity of 825 days. A bigger hurdle arrives one month later.
In April 2018 Google’s Chrome will require Certificate Transparency or CT. Users and domain owners can spot inappropriately issued certificates. We can identify CAs that maliciously go rogue, or who simply make errors.
Google announced that they will require CT. But by the time the deadline arrives, all browsers will.
Check your own public-facing servers at Qualys SSL Labs. They’re the de facto SSL/TLS authorities on the Internet. Their reports clearly explain what you need to fix.
Your Internet-facing servers use certificates from a public CA. Work with them. Plan your transition well ahead of time.
If you maintain an in-house Public-Key Infrastructure (or PKI), you still have to satisfy browser requirements. That means staying on top of developments.
Learning Tree’s System and Network Security Introduction course has an introduction to certificate and trust issues. The Identity Management course gives you hands-on exposure to PKI technical components.
Also keep an eye on the CA/Browser Forum. It’s a group of CAs plus vendors of browsers and other applications that use X.509 digital certificates. They make the decisions and announce the transition timelines.