For some people, May 30, 2020 will be a date to remember. On this day, many things stopped working, especially websites and organizations’ content filtering systems. This is especially important due to the current situation where the COVID-19 pandemic is causing society to depend heavily on the Internet not only to stay informed but also to maintain jobs that can be done remotely.
In addition to the problems detected locally in Panama, especially in the government sector where more and more procedures have been moved to online mode in record time, there have also been disruptions worldwide. For example, some television channels broadcast on the Roku platform[1] stopped working with little indication of what could be happening.
There are multiple reports on the impact of this expiration. Below are some examples:
- https://www.theregister.com/2020/06/02/sectigo_root_cert_expires/
- https://forum.fortinet.com/tm.aspx?m=186679
- https://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration
Although this incident had a high impact, this does not mean that it was not known in advance. There are multiple instances where the expiration of the affected certificates was warned from 2019. Some related articles are below.
- https://sectigo.com/resource-library/sectigos-addtrust-root-is-soon-to-expire-what-you-need-to-know
- https://it.ucsf.edu/status/2020-05-14/addtrust-external-ca-root-certificate-will-expire-may-30th-2020
- https://calnetweb.berkeley.edu/calnet-technologists/incommon-sectigo-certificate-service/addtrust-external-root-expiration-may-2020
- https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020
- https://www.cmu.edu/iso/service/cert-auth/addtrust.html
The logical question in this situation is: Why did we not know about this before and take appropriate measures? Although there may be multiple answers to this question and it could generate negative blame exchanges between development, operations, and security teams within IT organizations, the truth is that the answer is simply that the context of the time where activities related to encryption are developed exceeds individuals.
In summary, if the organization does not have robust encryption management processes, the problem will most likely repeat in the future. The reason why specific processes are needed to manage encryption within private or public organizations is very simple: the processes that govern the public key encryption scheme use very long time cycles (20 or 30 years). This is longer than many people remain in an organization.
For SSL/TLS encryption to work, the server presents an SSL certificate to the client: an application like a web browser or a device. If a server certificate approaches expiration, the system administrator can easily renew it. However, for the client to “trust” any certificate presented as valid, web browsers, applications, and devices come equipped with a set of pre-installed root certificates issued by a trusted Certificate Authority (CA).
Now, those root certificates have significantly longer expiration dates than server certificates—up to 20 or 25 years. But sooner or later, like mortals, they will expire.
In a post to his blog, security researcher Scott Helme said: “This problem was demonstrated perfectly recently, on May 30 at 10:48:38 GMT to be exact. That exact moment was when the AddTrust External CA root certificate expired and brought with it the first signs of problems I have been expecting for some time.”
“We are approaching a point in time where there are many CA root certificates that expire in the coming years simply because it has been more than 20 years since encrypted web really started and that is the lifespan of a CA root certificate. This will catch many organizations significantly off guard.”
-Scott Helme
All this leaves us with a problem to face. Although it is not difficult to understand and prevent, it requires constant vigilance and attention to detail during a very long period regarding Internet encryption.
Why is Encryption Important?
Although at the beginning of this century, the argument about using SSL to secure websites and web services revolved around the impact on server processors, today these and other arguments have practically died due to advances in processing power and the maturation of cloud services.
The history of encryption use on the Internet and its importance deserves an article in itself. However, here you can find some important references:
- EFF – https://www.eff.org/https-everywhere/faq
- Internet Society – https://www.internetsociety.org/encryption/what-is-encryption/
To learn a bit more about encryption for securing websites (HTTPS), you can always visit the https://whynohttps.com/ site by Troy Hunt[1], where he explains, with numbers, the phenomenon of encryption adoption on the Internet.
Future Challenges of Encryption
Let’s say that managing the situation where a website appears as “not secure” in people’s browsers is an annoying reality. However, it is manageable because there is always a person using the browser who can take actions to resolve the situation.
Now let’s think about scenarios that do not involve people, that is, communication between machines or what is popularly known as IoT (Internet of Things), which is nothing more than Smart TVs, smart bulbs, refrigerators, stoves, ovens, washing machines, dryers, or a complex control system in power generation plants. These devices, if not updated in time, can lose all Internet connection or connection with other systems they depend on to function and basically become useless. All because of an expired digital certificate that was not updated on the device in a timely manner.
If we take into account that in some cases devices can be disconnected from the Internet for long periods, sometimes years, and not receive updates, the problem becomes even more complicated.
Realistically speaking, a smart gadget can go through periods of prolonged inactivity lasting weeks or months. If the device is updated infrequently and its root CA certificate expires while offline, it may have difficulty reconnecting to the Internet when turned on.
For example, a smart bulb may have the ability to connect to the Internet but may need a secure connection to its server before it can receive updates. If this smart bulb had previously been “disconnected” from the Internet for a few months, and the grace period for updating its root CA certificate has now passed, it may no longer be able to reconnect to the Internet unless it is manually updated, if possible.
The irony of all this is that even the most “modern” devices and gadgets are not modern enough because they do not account for the latest root certificates.
For smart devices and IoT to continue functioning uninterrupted and guarantee a smooth user experience, industry stakeholders, partners, and competitors must agree on a standard set of practices and adhere to them. In 2020, there are few reasons why some devices still do not recognize root certificates issued in 2012.
While regular application of updates to smart devices is an obvious solution, it may not be as obvious to the end user. During regular updates, smart devices can download new root CA certificates to add to their root stores.
On My Interest in Encryption
As of the publication date of this article, I am serving as President of the Board of Directors of the chapter of the Internet Society of Panama (Internet Society). One of this global, non-profit organization’s major initiatives is promoting, through education, the use of encryption on the Internet because of its role in building trust in Internet use and protecting Internet users and their personal data.
You can read more about Internet Society’s initiatives and actions on the encryption topic at the following URL: https://www.internetsociety.org/encryption/internet-community-stands-up-for-encryption/