TLS Delegated Credentials is a new technology that was developed to address the certificate management problems that super high traffic websites may have. Here’s an example. With current TLS technology, a really high traffic website like Facebook or Google has to place a copy of its TLS certificate private key on each of its thousands of web servers around the world in order to provide continuous HTTPS service. If a certificate is maliciously acquired by a cyber attacker, they could impersonate Facebook or Google servers for a few months to a couple of years. Given the very high amount of web traffic those sites generate, the impact of a man-in-the-middle attack could be immense and very expensive.
Although Public Key Infrastructure (PKI) is securing our online transactions, it can be very fragile too. From fraudulent Certification Authorities (CAs) to implementation errors that expose private keys, managing machine identities securely can present technical challenges.
CAs are responsible for the creation of machine identities and they dictate the lifetime of an issued certificate. Traditionally, end-entity certificates are long-lived, with lifetimes of more than one year. For multi-server operators and Content Delivery Networks (CDNs) such as Cloudflare, this can be problematic because of the potential trust placed in sensitive private key material.
Currently, existing TLS technology, such as typical implementations of TLS 1.2 and TLS 1.3, can work very well for websites and apps with moderate traffic. Depending on the type of validation the TLS certificate uses, it could have a lifespan of anywhere from a few months to a year.
Certificate management gets a lot more complicated when a website or web app gets many millions of hits per month. The most frequently used websites, such as Facebook, could possibly get a whopping billion hits per month! And if a cyber attacker maliciously acquires a certificate, they can have unauthorized access to lots of web traffic for months or even years.
To limit exposure, a short-lived certificate would be preferable. However, constant communication with an external CA to obtain short-lived certificates could result in poor performance or even worse, lack of access to a service entirely.
Building the case for delegated credentials
To address these challenges, Facebook, Cloudflare and Mozilla have been working together to develop an extension to the TLS protocol, called delegated credentials. Delegated credentials are an extremely effective method for securing certificates and this extension is in the process of being adopted as a standard by IETF.
The reason why Facebook, Cloudflare and Mozilla teamed up is that they are all facing a common problem: SSL/TLS security on multiple web servers. In modern server deployments, a certificate could be deployed to thousands of servers, which could be distributed all over the world. It is important to ensure the security of the certificate to prevent potential attackers from gaining control of a certificate, which would enable them to perform a man-in-the-middle (MITM) attack on traffic to the server.
With the new TLS Delegated Credentials standard announced by Facebook, Mozilla, and Cloudflare in November 2019, very high traffic sites can deploy TLS private keys that only last for a few hours through multi-server setups. Those types of websites can deploy Delegated Credentials for individual sessions instead of using their proper and riskier real TLS private keys.
If a certificate becomes compromised before it expires, the only option currently available to server operators is to revoke the certificate. However, certificate revocation does not work well for modern browsers. Revocation checking mechanisms such as Online Certificate Status Protocol (OCSP) may require browsers to speak to a certificate authority and can thus be blocked. They can also add latency to the establishment of the connection.
The other approach to minimizing the effects of certificate compromise is to reduce the validity of the certificates—this frees users from relying solely on revocation. The shorter the certificate lifetime, the less likely a certificate will need to be revoked before it expires. This boosts security by reducing the period during which a potential attacker could use a compromised certificate.
However, shortening certificate lifetimes is not always very practical. If we shorten the expiration time of a certificate, PKI teams will have to request and replace certificates from a CA much more frequently. If this process is not fully automated, it increases the possibility of failures. And you could be in real trouble if the certificate authority issuance process is offline for whatever reason. Reducing the certificate lifespan isn’t a solution that’s easy to implement in the real world.
How delegated credentials work
Delegated credentials allow a server to better balance this trade-off between security and reliability. A web server can be configured to generate a new delegated credential structure containing a public key and an expiration time, which can be as little as a few hours. It can then use its signed certificate (also known as a leaf certificate) obtained from a CA to sign the delegated credential. Since this delegated credential is generated and signed by the web server, it is not required to contact the CA every time a new delegated credential needs to be created.
Think of it this way. Real estate agents often use temporary realtor locks on the doors of the properties they’re selling, so they can show them to multiple prospective tenants per day by using a keypad code rather than having to carry the real physical keys for each property. If they sell a house or a condo apartment, they can remove the realtor lock and give the buyer the permanent physical key. A website that gets 100,000 hits per month could work just fine by giving each visitor the real TLS private key. But if a website gets 500 million hits per month, certificate management can get really complicated if real TLS private keys are used for each session. TLS Delegated Credentials were designed to be compatible with TLS 1.3 and future versions. Delegated Credentials can have a lifespan ranging from few hours to seven days and they can be rotated automatically once they expire, simplifying heavy traffic certificate management.
Figure 1: How delegated credentials work. Image courtesy of Facebook.
Clients would tell the server that they support delegated credentials and verify that the delegated credential is correctly signed by the server’s leaf certificate. The public key of the delegated credential is then used as the key for the TLS connection.
Delegated credentials provide greater flexibility to server operators. Operators can issue each of their servers a separate delegated credential with a short validity time, instead of the real certificate private key, to add defense in depth. Since the delegated credential has its own public key, a server can also experiment with new public key algorithms for TLS even before CAs support it. For example, delegated credentials could work as a bridge for the public key infrastructure to transition into post-quantum cryptography.
You can try it by implementing the following steps:
- Download the latest version of Mozilla Firefox.
- Type about:config in the address bar and go to security.tls.enable_delegated_credentials.
- Now change its default value to true (you need to double-click on false).
- Go to this website.
Once you complete all the steps, you should see this in your browser window:
Figure 2: A browser supporting delegated credentials. Image source: Hashed Out by The SSL Store
A step towards enhancing privacy
Even though the delegated credentials protocol is about to be adopted by the IETF, its full implementation will take time as it must be supported by all browsers, and users must be using updated browsers to take benefit from it. Since a good percentage of users browse through older browsers, it will take time for the web to fully benefit from this innovation. However, the introduction of delegated credentials is undoubtedly a step forward as far as security and privacy are concerned as it reduces the possibility of issues such as Heartbleed. Although delegated certificates are mostly useful for multi-server websites and CDNs, they are going to add an additional safeguard to privacy for millions of end-users.
How well are you managing your machine identities to protect your enterprise?
(This post has been updated. It was originally published on December 28, 2020.)
- What Business Line Managers Should Know about Protecting Machine Identities
- 5 Questions to Ask About Your PKI Certificate Management
- 4 Misconceptions about PKI that Deserve to be Debunked