Review of major SSL / TLS events of 2020

Feb 1, 2021, 09:49 AM by Riaan De Villiers
In this blog post, LAWtrust examines the important SSL / TLS events during 2020. We will also take a look at what lies ahead for 2021.

Welcome back to the LAWtrust blog.

For our first series of blogs this year we will look at SSL / TLS certificates. Based on Public Key Cryptography, SSL / TLS certificates are used to digitally identify users and machines connected to the Internet and other networks.

Websites use SSL / TLS certificates to identify themselves to the users logging on to the site. The certificate is also used to encrypt data between the user and the website.

In this series we will cover:

  • A review of important events that happened during 2020.
  • Why SSL is important to your website and your organization.
  • How SSL certificates work.
  • Demstifying SSL terms.

Website protected with SSL certificate.
The LAWtrust website is protected with a TLS / SSL certificate.

Review of 2020

During today’s post we will look at important SSL / TLS related events that happened during 2020 and take a peek at what we may expect from 2021.

398-day certificate expiry period

Last year, Apple announced that SSL/ TLS certificates must not have a validity period of greater than 398 days. Not long after Apple, Google and Mozilla announced that they will also start rejecting SSL / TLS certificates with a lifespan that violates the new policy.

From a security standpoint – the longer an SSL /TLS certificate’s lifespan, the more likely it is that the certificate can be compromised and create a security risk. Mozilla explained the move further: “[it] will bring numerous security and privacy benefits: certificates using outdated or weak algorithms will be phased out faster, there will be fewer disruptions, and exposure diminished. Furthermore, certain impersonation attacks will likely be mitigated this way.”

Not everybody was happy with this decision since having to issue SSL certificates more often will place an additional administrative burden on their organisation.

HTTPS only mode

During 2020, Firefox version 83 introduced an HTTPS-Only mode.

Most websites these days protect their traffic with an SSL / TLS certificate, however, there are still some websites that do not have this protection.

When connecting to a website without SSL / TLS protection, all the data from the user’s computer travels unprotected across the internet to the website.

When Firefox’s HTTPS-Only mode is switched on, Firefox will automatically upgrade web connections to secure connections where possible. If it is not possible to upgrade the connection, Firefox will display a message to the user that their connection is not secure. It is up to the user to then decide to continue to the unsecured website or not.

TLS 1.0 and TLS 1.1 depreciated

There are currently four versions of the Transport Layer Security protocol (TLS): v1.0, v1.1, v1.2 and v1.3.

Version 1.0 and v1.1 are more than a decade old and has known security vulnerabilities and support bad cryptography algorithms that can be exploited by attackers.

To protect users against attacks on these older versions, Microsoft, Apple, Mozilla and Google have announced that during 2020 they will stop supporting the older protocols.

Should a user connect to a website that does not support the newer versions of TLS, the browser will display a message that a secure connection failed.

Security engineers recommend that you disable TLS 1.0 and 1.1 on your webserver to protect your users.

What is instore for 2021?

Shorter certificate lifespans

In 2020 it was announced that certificate lifespans are reduced to 398 days, however, the effect will be felt during 2021.

System administrators and tech teams will have to manage the roll-over and may be lacking the tools to manage the process effectively. Many teams might start looking at certificate automation tools to assist with the management of their certificates at an enterprise level.

Crypto-based exploits using code signing, SSH and TLS certificates

For convenience, system administrators generate their own certificates rather than getting their certificates from trusted Certificate Authorities. The result is that in some organisations, they have more certificates than they need and they cannot track where those certificates are located.

If any of these certificates fall into the wrong hands it could potentially be misused and provide attackers with a backdoor into the organisation.

For 2021 we can expect to see the rise in attacks exploiting misused certificates.

If you are unsure what certificates are floating around in your organization, LAWtrust can assist you to detect and manage the certificates.

Feel free to contact LAWtrust today for a consultation.