Facebook, Cloudflare and the Mozilla Foundation have been collaborating to advance Transport Layer Security (TLS).
Strengthening web security
Individually, the companies released updates regarding security protocol Delegated Credentials. The new TLS protocol aims to strengthen web security and make Web Public Key Infrastructure (PKI) more robust through limiting the compromise window without hindering performance.
TLS utilises asymmetric encryption. A browser is able to verify the legitimacy of a site through a digital certificate. However, the private key can be hijacked and used to impersonate the service, intercepting user traffic and stealing private information.
Facebook is arguably one of the largest TLS deployments in the world. The company uses thousands of web servers to run the social media site, and each one of these servers has a copy of the private key, resulting in higher security risk. Should a server be compromised, the private key could be stolen and used to launch a man in the middle attack on traffic to the server.
Delegated Credentials generates a new set of keys with expiration dates as short as a few hours with a maximum of seven days, as opposed to every few months which is what’s available for private keys. These keys are distributed to the servers, removing the need to use the private key on the network.
In addition, Delegated Credentials solves the issue of short-lived authentication resulting in poor performance or lack of access to a service as it’s cryptographically bound to a Certification Authority (CA) issued certificate.
Defining a new protocol
Facebook, Cloudflare and Mozilla have also been working with the broader IETF community to define the new protocol. In addition, they have contributed the protocol to the Internet Engineering Task Force in order to turn it into an industry standard.
Subodh Iyengar, software engineer at Facebook, says, “We believe delegated credentials provide an effective way to boost security by reducing certificate lifetimes without sacrificing reliability.”
“This will soon become an internet standard and we hope others in the industry adopt delegated credentials to help make the Internet ecosystem more secure.”