HTTPS killed HTTP
After July, 23th any website not running HTTPS with a valid Digital Certificate will show a “Not Secure” warning in the Chrome address bar. Google’s browser, holding about 60 per cent of the browser market, takes the lead in providing more cybersecurity to all people and this is good news. Other browsers will follow. HTTPS, the secure protocol to access a website, is based on cryptographic methods, known as TLS or its predecessor SSL, to ensure:
– No one has read your communication;
– No one has changed your communication;
– You are communicating with the intended website.
Well, we’re talking about trust and in the cybersecurity community TLS and SSL are not really synonymous with trust given that a lot of vulnerabilities affect their implementation. But the other good news is that the Internet Engineering Task Force, the main Internet standards organization, has released the final specifications of TLS v1.3 in August 2018. This new version includes a lot of security and performance improvements and it also removes obsolete and insecure features from previous ones.
However, securing the communication of a website is not as simple as it could be. Let’s have a look at the current best practices. Two main things bring confidence in securing website communication: a Digital Certificate and the way you secure flow of communication.
Digital certificate, the digital identity of a website
A Digital Certificate serves the same purpose as a passport does in everyday life.
A passport is a link between information printed on it and a person, and this link has been issued by the country which has delivered it. In the digital world, the Digital Certificate is the link between a website and an organization and this link has been verified by a trusted authority, also known as Certificate Authority.
Thus, when you visit a website in HTTPS, the website sends your browser its Digital Certificate to prove its identity. Then some checks should be made in order to trust it.
One of the very basic controls is to check the temporal validity of the Digital Certificate. It’s like your passport when you cross a border and the customs officer checks if your passport has already been delivered and has not expired. In a Digital Certificate, there are also creation and expiration dates. Basically, the current date shall be more recent than its creation date and shall be before its expiration date.
The Digital Certificate submitted by the website must include its address in order to ensure that the client is talking to the correct website. It’s like when the postman delivers a letter, he makes sure the recipient’s name is displayed on the mailbox. For example, the Digital Certificate provided by the website ‘www.qwant.com’ shall include this name.
Approval by trusted authorities
When a Digital Certificate has been issued, it has been signed by a Certificate Authority. In other words, the passport has been verified by the country of issue. Client browsers recognized a list of trusted Certificate Authorities and cryptographic processes are used to establish the Digital Certificate has been signed by one of them. So, basic practice acts to ensure that a Digital Certificate has been signed by a Certificate Authority trusted by main platforms (Windows, Apple, Mozilla, Java).
Revocation of Digital Certificate
In the lifetime of a Digital Certificate, it may be revoked before its scheduled expiry date and should no longer be considered reliable. Browsers check whether the Digital Certificate has been revoked, like the policeman checks whether your driving license has been revoked. Although there are several methods to check revocation status, so far none of them provide a 100% guarantee. However, the current best practice recommends:
– In order to fill a flag in the Digital Certificate which indicates attestation, it is required to check its revocation status – this flag is called Online Certificate Status Protocol (OCSP) must-staple;
– In addition to the Digital Certificate, the website shall provide an attestation proving the current revocation status. This attestation shall be signed by the Certificate Authority – this mechanism is called OCSP Stapling.
In the Digital world, when it comes to trust, cryptography is everywhere. This is also the case here. A Digital Certificate includes a cryptographic element and the signature of the Certificate Authority. Both of them shall use robust cryptography, just as banknotes use reliable security threads.
Nowadays, current industry recommendations for the cryptographic element are to be used:
– An RSA algorithm with a key length of up to 2048 bits;
– An Elliptic Curve algorithm with a key length of up to 256 bits.
With regard to the signature of the Certificate Authority, Mozilla maintains a set of recommendations of robust cryptographic algorithms.
After all these checks, we have a good level of confidence that the certificate can be trusted. But they are all based on one crucial fact: the Certificate Authority which issued the Digital Certificate hasn’t been hacked. Indeed, a malicious Digital Certificate could be issued in that case and all previous checks will be ok.
Ensuring that the Certificate Authority has not been hacked is quite impossible, so greater transparency around the issuance of Digital Certificates is needed to cope with this risk. To do this, Google has released an open framework, Certificate Transparency, to monitor and audit the Digital Certificates issued by Certificate Authorities in nearly real time. Using this framework, some organizations monitor the issuance of Digital Certificates and provide additional attestations to ensure everything is going well and to quickly invalidate Digital Certificates if needed.
On this basis, current best practices recommend checking these additional attestations, called Signed Certificate Timestamps. The first verification consists of making sure attestations have been issued by trusted authorities. Web browsers use a list of trusted authorities for this purpose. But these authorities could also be hacked, so several attestations delivered by distinct authorities are required. For instance, Google Chrome uses this policy to check the compliance with Certificate Transparency.
Securing communication flow
In addition to Digital Certificate, the second key point is how to secure the flow of communication. To make it simple, it’s as if you choose to send an object from a point A to a point B. For example, if you want to transfer gold bullion from your bank to another bank, you could secure the transport with a security agency or with the army, with young or experienced agents, armed to a lesser or greater degree. In the digital world, the variables are the protocol and the cryptographic algorithm.
As already stated at the beginning, the protocol used by HTTPS is TLS, or its predecessor SSL. But there are several versions and some of them are no longer secure. Nowadays, the industry relies on the following protocols: TLSv1.1, TLSv1.2 and TLSv1.3. It’s important to note that these protocols do not experience known security issues but only the latter two provide modern cryptographic algorithms.
Thus, to secure communication flow, a website shall offer protocols listed above only.
In addition, a website provides a list of cryptographic algorithms to secure the the flow of communication and one of them will be selected between the website and the client’s browser according to those they can use.
The Open Web Application Security Project maintains a set of recommendations including cryptographic algorithms ranked as robust.
Cybersecurity is essential to trust
Securing communication between a client and a website is a key to trust. It used to be said that HTTPS and especially its cryptographic protocols are not efficient and suffered from security issues. But now with modern cryptography, new version of the protocol and better insurance about the Digital Certificate, we have more security and better performance. So, there are no longer any red flags to deploy massively HTTPS.
At CYRATING, we consider the best practices described in this article to assess the website cybersecurity of any organization we rate. That’s why we have recently released additional controls to cover the whole situation.
Christophe Ternat, founder and President of CYRATING, Europe’s leading cybersecurity rating agency. Christophe helps companies secure their digital technologies and better manage their suppliers’ risks, by providing a comprehensive and simple picture of cybersecurity.
For further information, visit: