Mozilla, in partnership with Facebook, Cloudflare, and other IETF community members, has announced technical specifications for a new cryptographic protocol called “Delegated Credentials for TLS.”
Delegated Credentials for TLS is a new simplified way to implement “short-lived” certificates without sacrificing the reliability of secure connections.
In short, the new TLS protocol extension aims to effectively prevent the misuse of stolen certificates by reducing their maximum validity period to a very short span of time, such as a few days or even hours.
Before jumping into how Delegated Credentials for TLS works, you need to understand the current TLS infrastructure, and of course, about the core problem in it because of which we need Delegated Credentials for TLS.
The Current TLS Infrastructure
More than 70% of all websites on the Internet today use TLS certificates to establish a secure line of HTTPS communication between their servers and visitors, ensuring the confidentiality and integrity of every bit and byte of data being exchanged.
Websites obtain a TLS certificate from a Certificate Authority (CA) that must be trusted by all major web browsers. CA organization digitally signs a certificate that remains only valid for a specific period, typically for a year or two.
When you connect to an HTTPS-protected website, the server provides its TLS certificate to your web browser for confirming its identity before exchanging any information that could include your passwords and other sensitive data.
Ideally, certificates are expected to be used for their entire validity period, but unfortunately, a certificate can go bad before its expiration date for many reasons.
For example, the secret private key corresponding to a certificate can be stolen, or the certificate can be issued fraudulently, allowing an attacker to impersonate a targeted server or spy on encrypted connections through a man-in-the-middle attack.
Moreover, big tech companies like Facebook, Google, and Cloudflare offer their services from thousands of servers implemented worldwide. They distribute private certificate keys to each one of them, a process where the risk of compromise is higher than usual.
images from Hacker News