KeyChest Blog

"Apple strong-arms entire CA industry" ... what does it mean?

Jul 29, 2020 6:59:01 PM / by Dan

ZDNet reported recently an update to the shortening of HTTPS certificates enforced by web browsers. What does it mean for you and for the internet?

 

I have mentioned the growing importance of HTTPS to the transparency and availability of the internet. While there is a strong governance of the domain name (DNS) management, HTTPS has stealthily grown its importance and potential power to limit our internet access.

While we have all applauded the increase in the security provided by HTTPS we have paid very little attention to its impact on the basic principles of internet.

A decision that Apple unilaterally took in February 2020 has reverberated across the browser landscape and has effectively strong-armed the Certificate Authority industry ....

Following Apple's initial announcement, Mozilla and Google have stated similar intentions to implement the same rule in their browsers.  [ZDNet]

I believe this is about much more than just managing HTTPS. The browsers have now the power to decide which web sites it is 'safe' to visit and which not. They have created a new "DNS-like" system that allows them to control what we can see. What initially started as a warning that our data may be attacked has morphed into something that prevents us visit web sites that don't comply with security requirements of a handful of web browser vendors.

I am certainly in favour of web security but what we see today is that it takes one company to tell us what is "secure" and what is not. The main issue I see here is none or very limited accountability of this de-facto access control enforced upon the whole of the internet.

 

HTTPS has become a new layer of the internet. First we needed a protocol - TCP. Then we built the DNS system so we don't have to remember IP addresses and can use names instead. HTTPS is a new arrival and it has the power to control our access to the internet via blacklisting of certificate issuers, blacklisting certificates with revocations or other mechanisms. The latter happened already when e.g., Symantec was blacklisted when not complying / breaching a security standard required by Google. 

The most recent Apple case shows how much power do browser vendors over the certification authorities. When Apple says it will not recognize certain certificates valid for more than 13 months, everyone else has to listen and adjust. 

 

Tags: https, risk management

Dan

Written by Dan