Wandering Thoughts archives


Modern public TLS is a quite different thing than it used to be

If you're not deeply involved with TLS, it probably seems that the state of public TLS today is much the way it used to be a decade ago, or even five years ago, including things like the fundamental problem with TLS on the web (which is that your browser trusts a ton of Certificate Authorities). This is not actually the case, for at least three reasons. Two of them are logistical changes, while the third is a dramatic change to the security of TLS in practice.

The first logistical change is that Let's Encrypt has made fully valid TLS certificates both widely available and free. In the process it's dragged other Certificate Authorities toward this model. I suspect that TLS certificates being free and widely available has made browser vendors much more willing to get strict on (other) Certificate Authorities, because limiting or deprecating other CAs no longer necessarily leaves site operators in a big pinch. The second logistical change is that Let's Encrypt's short certificate lifetimes have driven people to automate TLS certificate changes. This automation isn't perfect today, but it's a vast improvement from what it used to be.

(Let's Encrypt has also forced everyone to be honest about how much validation is actually done for ordinary TLS certificates, which is "not much". I doubt that this has changed people's perceptions about what a TLS certificate means, though.)

The dramatic change to the practical security of TLS is TLS Certificate Transparency (also), where the browser vendors require Certificate Authorities to publish information about all of their TLS certificates. A decade ago, the problem with TLS (and thus with HTTPS) is that any CA could issue a TLS certificate for any site and not get caught at it most of the time. This issuance might be because of a mistake, because the CA was compromised, or because an entity with sufficient power over the CA ordered them to do so.

In theory all of this is still possible today, because Certificate Authorities are no less vulnerable to mistakes, attackers, or state pressure. However, in practice, Certificate Transparency makes the issuance of a bad certificate a high stakes thing, especially if the website in question does things like publish restricted CAA records. A TLS certificate issued without being in the CT logs is both a smoking gun of CA misconduct and increasingly useless, since browsers increasingly only accept CT-logged TLS certificates. A TLS certificate issued and in the CT logs is exposed to public scrutiny and potential immediate alerts, and it's extremely non-deniable on the part of the CA. This is a big practical improvement in TLS security, just as blocking passive eavesdropping by switching to HTTPS is a big change.

A meta-level change is that the browsers are now in charge of TLS. In a way they always were, but now there's fewer of them than there used to be and they understand their power more and are more willing to exercise it. This is an important change in its own right because browsers don't care about how much money Certificate Authorities make or don't make.

All of this means that modern public TLS is a much safer place in practice than it used to be. Someone else getting a TLS certificate for your site is not necessarily harder than it used to be, but it's more risky and thus expensive, and thus much less likely to be done or to happen.

(If you're running a website, it's cheaper and usually much easier to get and manage TLS certificates than it used to be. We went from TLS certificates being various sorts of headaches to them being something we don't even think about.)

tech/TLSHasChangedALot written at 23:05:09; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.