Root Causes 33: Prepare for One-Year Limits on SSL Certificates
The CA/Browser Forum faces a proposed ballot to limit the maximum duration of an SSL certificate to 13 months. Even if this ballot fails, browsers such as Google Chrome have the ability to simply distrust certificates of longer duration, creating the same de facto situation. Our hosts discuss the trend to shorter certificates, the pluses and minuses of decreased maximum term, and automation as the only solution to fill the gap.
- Original Broadcast Date: August 18, 2019
Episode Transcript
Lightly edited for flow and brevity.
-
Tim Callan
We’re here today to talk about maximum certificate duration and SSL certificates. A little background for the listeners, is that there’s a new proposal from Google, in the CA/Browser Forum, that would limit the potential allowable duration of a certificate to 13 months. So, 1 year and a little bit of extra time so you can get your cert switched out. This proposal is now going to move to ballot and be voted on. It is possible that the CA/Browser Forum will vote to limit us to one-year certificates.
-
Jason Soroko
It seems to me that it is trending towards less and less years. We were talking a while back about certificates that were 6 years going down to 3 and now, what is it now? Down to 2. Is that right, Tim?
-
Tim Callan
Yes, it used to be once upon a time, whatever the CA wanted to do. And in that timeframe, you absolutely could go out and buy at least a 6-year cert. There were some discussions and questions about, ‘how long is too long?’, and ‘what are the various potential vulnerabilities that come?’. When the CA/Browser Forum started to establish baseline requirements, they limited certificate duration and took us down 3 years for SSL and then 2 years for extended validation. So, an EV cert couldn’t be more than 2 years long. Then, in a ballot in 2018, 3-year certs became no longer possible to sell. So, there are still 3-year certs in the market, but you couldn’t buy a new one. We went down to 2-year certs in that timeframe, and now the current ballot would take us down to one-year certs starting in March 2020.
-
Jason Soroko
And Google’s argument for doing this is?
-
Tim Callan
There are a few arguments for doing this and they’re kind of connected. One is the idea that with any certificate, the longer it’s in the market, the more your potential vulnerability goes up. Hypothetically if on day zero somebody steals your key, then the shorter the certificate lifespan the more you limit the damage that can be done. That’s kind of a general philosophical argument to say shorter is better from a security perspective; all else being equal.
There’s also an idea of Crypto-agility. Probably the best and most famous example is when the Debian OpenSSL flaw came out there were lots and lots of certificates that had predictable keys. And under those circumstances, if those certificates had shorter lifespans there would’ve been less vulnerability. There would’ve been a shorter period of time before those got swapped out. If that person moved to a non-broken form of key generation then they would’ve had a non-vulnerable cert earlier.
The third argument is actually not very important, but some people like to harp on it, it’s this idea that domains and certificates are decoupled from each other. Meaning I could own a domain and I could get a certificate legitimately, that domain then could stop being my property because I sell it, or I don’t renew it. Now somebody else could take that domain and use it, but at the same time I would still own a certificate that in principal was a certificate for a domain I didn’t own. That idea is bothersome to some people, and to the degree maximum certificate lifespans are shorter, all of those factors are reduced.
-
Jason Soroko
I know that in IoT, where certificates are used for a number of reasons, having shorter certificate lifecycles is used as a replacement to the idea of revocation. Because of the fact that revocation can sometimes be difficult or impossible within the ` operational technology environment. So that works because of the specific constraints of IoT. Those same kinds of constraints don’t necessarily exist within web servers.
-
Tim Callan
Also, in an IoT or any kind of private PKI world, there’s flexibility on certificate duration. I could have a use case where I want my IoT certificates to live for a week or for a day, and I could have a different use case where I want them to live for 3 years, and that would be fine. In fact, I could have both kinds of certs living in my environment depending on what device they’re being used on. In our public SSL world we need to have some parameters and those parameters are universal and they apply to everybody.
-
Jason Soroko
If this gets passed , and it seems to be the trend for shorter certificates anyway. But if this does get passed a common theme throughout a lot of our podcasts is about outages due to lack of correct certificate management; this is just calling for more and more automation in my mind.
-
Tim Callan
Absolutely, and we can imagine it not being done here. So you and I talked about how it went from at least 6 years down to 3 years, down to 2. let’s say it goes down to 1, does it stop there? ‘Do we get 180-day certificates?’; ‘Do we get 90-day certificates?’; ‘Do we get 30-day certificates?’ Where does it stop? Right now you might say, ok we’ve got a certain number of certificates, we’re managing them manually by spreadsheet, someone replaces them, I’ve got alerts setup and I was doing them once every 2 years. Now, I must do them once every year and that sucks, but I can live with it. Where do you stop being able to live with it? At 90 days you can imagine the whole thing just being much more draconian. This is where we need to say, you need to have a different way ultimately to deal with this.
-
Jason Soroko
Yeah that absolutely makes sense. There comes a diminishing return on what a shorter lifespan will get you.
-
Tim Callan
Yeah I think that’s a very important point. Let’s say if I go from 2 years to 1 year, then I have reduced the temporal attack surface by 365 days. In order to do that I have doubled the amount of administration someone needs to do in a 2-year time period. But now let’s say I take it from 1 year down to 6 months. So, in this case I’ve only reduced the attack surface by another 180 some odd days. I haven’t gotten as much gain, but I have once again doubled the administration requirement. Let’s say we take it from 6 months to 3 months, now I’ve reduced the attack service by 90 days. The benefits I'm getting are going down, but I once again have doubled the administration overhead. You do need to balance those two things against each other.
-
Jason Soroko
I live more in the private world than the public. Although, the public is of a lot of interest to me obviously. Is this based on studies? To me phishing is the big attack that we should all be worried about right now. None of this is solving any of that.
-
Tim Callan
There’s not a lot of empirical research behind this. It’s more based on people with their opinions about what is good PKI hygiene. There has been some research around this concept of the disconnection of domains and certs, and this idea of ‘Zombie certs’: I get a cert for a domain, then, I give up the domain but I still have the cert. Like I said, this is worrisome in some corners. I just struggle to understand what the real pragmatic attack is here.
First of all, I’ve never seen evidence any real attack being dependent on this fact, and I don’t even know how you’d go about engineering that attack. I'm going to get a domain name; I'm going to buy a 2-year cert; I'm going to go sell that domain name to my intended target. Then they’re going to put something valuable on it, and I'm going to go do a DNS poisoning attack so I can man-in-the-middle them, and use my cert. Like, it isn’t going to happen. It’s not reality.
-
Jason Soroko
It kind of reminds of a house, and some academic is trying to show you how a burglar would break in. Maybe the better way of learning of how the bad guy operates is to actually watch a burglar.
-
Tim Callan
So, this doesn’t really happen. This was done by some students and I'm sure they got their PhD’s for them, it’s original research, and they deserved it, but at the end of the day, there isn’t really a pragmatic attack here that anybody has identified. So, that one I declare not a legitimate concern. I understand that it’s a real thing that does happen. But it’s not really a problem we need to be accounting for.
Then the other ideas are things we talked about, ‘what if your key gets compromised?’ and ‘What if you need more crypto agility than we have?’ Those are thought experiment kind of arguments.
-
Jason Soroko
I'm going to try and represent the average CISO, Director of IT person now: ‘This is all great. Glad that you academics are writing papers and getting PhD’s, but you’ve caused me some work here.’
-
Tim Callan
That’s the argument on the other side, which is, ‘look, I'm the CISO of a major bank, I'm a big boy, I know as much about security as you do and I should make these decisions for myself.’ And ‘if I want one-year certs, I can have one-year certs.’ There’s a lot of validity to that argument, however, that might not be in that CISO’s realm of choice anymore. This is where we kind of come back to what you were talking about with automation. This is where the need for automation just continues to increase, as we see the expected allowable duration of our public certificates continue to decline.
-
Jason Soroko
Yeah because the attack might be pie in the sky, but the risks of outages are real.
-
Tim Callan
Absolutely. Whether or not you feel that attack factor or that risk vector is very high or very low on the duration of your certificates, doesn’t really matter if you can’t get them. At that point it’s a purely academic conversation and you and your other CISO buddies sit around and have this conversation over a beer, but at the end of the day if you can only get one-year certs, you can only get one-year certs. Under those circumstances, you better have an automation plan in place, or you are going to double your workload and double your risk of an outage if you don’t have automation.
-
Jason Soroko
Maybe in a future podcast Tim, we can bring in a guest who’s a real practitioner of these things, to talk about how things have changed. Because I think sometimes the average listener of this might’ve setup a web server in their life, and therefore think they understand how things are typically done. With the advent of content delivery networks, load balancers, and hybrid Cloud, there’s so many places where I need to put my cert.
We need to have a future podcast about this. Just in terms of where all these certificates need to go, how to time them correctly, how to avoid outages, and talk about what automation really means to a modern practitioner in a complex environment. It’s not just me and my web server anymore.
-
Tim Callan
This is not your father’s server floor anymore, and absolutely that is a great perspective we should have on this. So listeners, send us an email; you can email me directly [email protected] and let us know if you are interested. We’d love to get some working managers, working practitioners on this podcast.
We’ll keep an eye on what happens and ultimately will let you know if it does go down to one year or not. But even if it doesn’t go to one year now, clearly there’s pressure to shorten the duration of a certificate. If we don’t go to one year in this vote, you can bet that it’s going to come up again. One thing I’ll say is, you’re never going to see allowable certificate durations gets longer. By the way, I wasn’t being facetious before, I do not predict this stops at one year. I think after one year gets implemented and is the universal standard that there will be voices that are calling for these certificates to get shorter than that. Let’s Encrypt by way of example, they’re all 90-day certificates and there are plenty of people who claim that all SSL certificates should be 90-day certificates. In that kind of environment, how are we going to get this done without being heavily dependent on automation? I think we’re not.
-
Jason Soroko
For anybody listening whose thinking about trying to do academic work on a PhD, that would be one heck of a PhD that would capture a lot of attention: ‘there a sweet spot?’ What are we going down to one-second certificates? That’s an exaggeration but I’m trying to make the point of, what is the sweet spot that takes everything into account?
-
Tim Callan
I’d love to explore that topic, I’d love to hear other opinions on that., I’d love to get some research on that because I think it’s a tough one. There is a risk of ‘PKI people’, who do this for their whole careers, getting a little insular and becoming ivory towered. Understanding what’s really happening on the street in the real world is a critical part of making these decisions correctly.
-
Jason Soroko
That’s why I say, I think we have to talk to practitioners here, because their voices aren’t being heard right now.
-
Tim Callan
Thank you for discussing this with me Jay. It’s an important trend and I'm glad we talked about it.