When John Wainwright, a computer scientist based in Silicon Valley, ordered the first-ever book on Amazon, the last thing he could have imagined is having a building named after him. But that’s exactly how much the biggest retailer on the planet values its first-ever non-employee customer.
In a gigantic leap from the late nineties when the online retailing was still in its infancy, Amazon is now selling millions of books every year. But what Wainwright did 25 years ago, couldn’t have been possible without another technology running in the background. A technology, so fundamental to the Internet’s evolution and online transactions that no website can live without it anymore. We’re talking about cryptographic protocols and SSL/TLS certificates – the web security elements that made the internet revolution possible.
At the time when the first browsers were popularizing the World Wide Web, the need for secure payments was a pressing concern. Somewhere in the Netscape headquarters, one of the biggest computer services companies back then, Taher Egmal, an Egyptian cryptographer and Netscape’s chief scientist, was drafting the first-ever Secure Sockets Layer (SSL) internet protocol.
The evolution of SSL Certificates in the late nineties
Without the possibility to test it in the real world, SSL 1.0 was a complete car crash. Riddled with cryptographic flaws and security vulnerabilities, the first version never went live. Netscape continued developing the SSL protocol, and in February 1995, released SSL 2.0. It was shipped with Netscape’s Navigator browser and remained in use for just a year until hackers and security experts exposed it again.
At the same time, Microsoft decided to revise the SSL 2 protocol with some additions of their own and released the first version of the PCT (Private Communication Technology) protocol. However, it never gathered momentum and remained supported only in IE and IIS.
Netscape scrambled to develop SSL 3.0, which finally brought a bit of stability and breathing space to the Web. It wasn’t until 1999 that a seemingly brand new TLS (Transport Layer Security) 1.0 protocol came to light. In reality, TLS was almost identical to SSL 3.0, and more of a compromise between the fierce competitors Netscape and Microsoft, rather than a deviation from SSL 3.0.
As Tim Dierks, the guy who wrote the SSL 3.0 reference implementation, recalls, Netscape and Microsoft negotiated a deal where both would support the IETF (Internet Engineering Task Force) taking over the protocol, and standardizing it in an open process.
“As a part of the horsetrading, we had to make some changes to SSL 3.0 (so it wouldn’t look the IETF was just rubberstamping Netscape’s protocol), and we had to rename the protocol (for the same reason). And thus was born TLS 1.0 (which was really SSL 3.1). And of course, now, in retrospect, the whole thing looks silly.”
It took the IETF group three years to publish TLS 1.0. The SSL/TLS confusion continues to this day.
The evolution of SSL Certificates at the beginning of the 21st century
At the dawn of the new millennium, SSL certificates were as scarce as trees in a desert. Certificate Authorities were charging hundreds of dollars for Business Validation, the only available option at that time. That was quite an investment for e-commerce companies dipping their toes into unknown waters of the online world.
The need for a quicker and easier validation was apparent. In 2002, GeoTrust became the first Certificate Authority to distribute Domain Validation certificates, a move that would eventually change the SSL landscape forever. Faster, and cheaper, these certs could encrypt any type of website, and eventually became the driving force behind the HTTPS revolution.
Five years later, in 2007, another game-changing innovation shaped the SSL industry. The arrival of Extended Validation certificates allowed companies to provide reasonable assurance to the Internet users that the website they’re accessing is indeed controlled by a legal entity. The now-famous EV green address bar helped companies better identify themselves to customers, and made phishing attacks using SSL certificates more difficult.
In the meantime, the IETF released TLS 1.1 in 2006 to address the BEAST attack, and then TLS 1.2 in 2008, with authenticated encryption (AEAD) being its main new feature. Although a significant breakthrough in online cryptography, it would take years for major browsers and servers to enable it. Chrome added support for TLS 1.2 in August 2013. By that time, the IEFT had already begun drafting the TLS 1.3 protocol.
With the web evolving fast, and the number of cyber-attacks keeping pace with its growth, the need for large-scale encryption seemed the logical step towards a safer Internet. Step in Google, arguably the biggest advocate of HTTPS transition.
The evolution of SSL Certificates in the last decade
In 2014, the search engine giant announced that it would give an SEO boost to all secure websites. And, since everyone was obsessed with SEO by that time, websites that otherwise wouldn’t come close to an SSL certificate, moved from HTTP to HTTPS to gain even the smallest edge over the competition. This move kick-started the HTTPS ascendance and a new era for the SSL/TLS ecosystem.
Shortly after Google’s incentive, Cloudflare, the popular content delivery network service, gave away free certificates to their over two million users.
The year 2015 saw three major developments in the SSL/TLS world. First, certificates issued after 1 April had the validity reduced from five to three years. The shorter lifespan was outlined back in 2012, in the first baseline requirements for the issuance and management of publicly-trusted certificates.
A few months later, in November, the Let’s Encrypt open-source certificate authority brought free Domain Validation SSL certificates and automated issuance to everyone. Backed by the likes of Google, Facebook, and Mozilla, Let’s Encrypt quickly became a popular choice for basic websites, blogs, and online portfolios.
In the same year, the SSL protocol was deprecated by the IETF, but it would take years before older servers disable it completely.
Fast-forward to 2016, and the HTTPS encryption reached the 50% milestone across the web. While this was a huge accomplishment back then, the job was just half-done. Google’s end-goal was to secure the entire Web. To do so, it would require something more radical than a small SEO boost. And, as always, the bright minds of Silicon Valley came with a simple yet efficient solution.
With the release of Chrome 68 in 2018, the browser began flagging all the unencrypted HTTPS sites as not secure. Mozilla followed suit, and suddenly, SSL certificates went from just an SEO incentive to an absolute necessity for all types of websites. As owners rushed to secure their sites and avoid the ominous warning, the HTTPS encryption skyrocketed to 80% across the Internet.
The SSL certificates were now the new norm. An indispensable element of website building and security. From here on, the evolution of HTTPS would turn into a new direction. In its next release Chrome 69 would remove the secure badge from HTTPS websites, leaving just the padlock as the sole indicator.
This again cemented the major shift in Google’s approach towards encrypted websites. If in the past, it offered rewards to encourage HTTPS migration. Now it went the opposite course and began penalizing the unencrypted sites. The Extended Validation green bar survived for now, but soon its time would also come to an end.
Amid these critical changes, the IETF published the long-awaited TLS 1.3 protocol. It took five years to develop it, and it came a decade after the previous TLS 1.2 version, but the wait was worth it. TLS 1.3 removed a bunch of old ciphers and algorithms and reduced the TLS handshake speed in half. As with the previous releases, it’s adoption would be slow.
The busy 2018 year witnessed one more crucial development in the SSL landscape. The ever-changing SSL validity was reduced again, this time for two years only. The new restriction allowed SSL Certificates to expire and be reissued more frequently, thus enabling the Certificates Authorities to better control the overall SSL/TLS environment.
After the long stroll down the memory lane, we have finally reached 2020. An eventful year, that no doubt will be highlighted in the history books. In the online world, the HTTPS encryption on the web has surpassed the 95% figure. Google’s goal to secure the whole Internet is now the reality.
Browsers continue to normalize the HTTPS connection making it more neutral. In their latest move, both Chrome and Firefox ditched the Extended Validation indicator from their address bars and repositioned it in the certificate info panel. Google carried out internal and external research and discovered that the EV indicator doesn’t convey information about a website’s identity and security in an efficient way. Moreover, it takes up too much space and may present confusing company names. Even so, the EV indicator removal isn’t the end of Extended Validation certificates. Their main benefit remains extensive verification of the company’s identity.
Meanwhile, SSL validity continued to reduce. This time it was Apple’s turn to unanimously shorten the certificates’ cycle to just one year for its Safari browser. The new change takes effect starting September 1. Since safari is the second most popular browser on the web, its competitors followed Apple’s decision. The one-year validity further diminishes the exposure window for cyber-attacks by generating new keys regularly.
Twenty-five years have passed since the arrival of the first SSL protocol. The entire Internet has come a long way since the early days of browsers, to the point that it’s a completely different environment. Web encryption is now ubiquitous. The older SSL and TLS protocols are deprecated, making room for the most recent TLS 1.3 version.
According to SSL Pulse, a global dashboard for monitoring the quality of SSL/TLS support over time across Alexa’s list of top 150,000 popular sites in the world, as of August 3, 2020, 32.8% of sites surveyed support the TLS 1.3 protocol. It’s a slow but steady adoption. More worryingly, 4.6% of sites still support the now-deprecated and vulnerable SSL 3.0 version.
What does the future hold for SSL certificates?
With universal encryption comes a greater responsibility to protect users’ sensitive data against persistent cyber-attacks. While the flaws of older protocols were eradicated in the later versions, the risk of new security threats will remain high as long as the Internet will evolve.
Many FinTech experts have suggested blockchain as a potential SSL replacement. In simple terms, a blockchain is a database structure that stores information in batches called blocks, linked sequentially to form a chain of blocks. Each chain is a public ledger where transactions are recorded and confirmed anonymously. One of the most famous examples of blockchain is the Bitcoin cryptocurrency. But how can Blockchain improve web encryption?
For starters, it can be used by individual parties to generate unique cryptographic keys that can check information and provide secure communication. Several blockchain-based SSL certificates already exist on the market. These certificates eliminate the Certificate Authorities (human factor) from digital transactions, ensuring stronger authentication.
One such system is Remme. The distributed Public Key Infrastructure protocol assigns SSL certificates to individual devices such as smartphones or PCs, and stores the certificate information in a secure, blockchain-enabled database.
Although blockchain is touted as the best SSL replacement, taking the CAs out of the equation may generate the opposite effect. The technology is still in its infancy, and until developers can prove its efficiency and stability in providing decentralized trust, the highly-regulated Certificate Authorities will continue to verify the legitimacy of certificates’ owners.
As the old saying goes, if it ain’t broke, don’t fix it. That’s not to say CAs’ didn’t have their share of problems and trials, but their uninterrupted progress has transformed the SSL industry into a much safer place. Today, the leading CAs offer a wide range of certificate management and automation options, helping companies manage efficiently thousands of certificate cycles.
Both browsers and CAs are so confident of the SSL safety record, that Google intends to remove the padlock icon – the last surviving indicator of a secure website. So far, all of Google’s intentions have come to life. The end of SSL padlock will mark the HTTPS revolution as a success story, and an important chapter in the Internet’s young history.