18

SSL, nowadays TLS, encrypts traffic between the server and client. However, the certificate is only valid for a certain period of time until its expiration.

What I don't understand is, why does TLS even expire in the first place? Its purpose is to encrypt traffic. If I had a Domain named example.com with SSL/TLS set up, the secure connection is first initialised using a TLS handshake. Once the keys have been exchanged, the connection is encrypted and sensible information can be transmitted. Cant this behavior been achieved without global CAs? Why do certificates even need to be trusted/validated when only a key exchange between X & Y is desired/required for transmitting encrypted data.

Is validation and expiration required due of man in the middle attacks or DNS hijacking? I cant find proper, easy to underetand and transparent answers on the web. It seems like SSL/TLS developed that way "AS IS" without a background to why expiration and CAs exist.

Improve this question
4
  • 23
    It might be useful to understand the terminology first, so that you can more precisely search for information yourself: SSL/TLS is for encryption, certificates in the context of SSL/TLS are for authentication (preventing man-in-the-middle impersonating the server). SSL/TLS does not expire, but certificates do. SSL/TLS can be used without certificates (also this is rare) and certificates can be used without SSL/TLS (like in code signing certificates, S/MIME for email encryption, document signing, ...) Commented Jul 21, 2024 at 13:18
  • 4
    Not a direct answer to your question, but I once wrote an elaborate answer on Certificate Authority dynamics, in particular Let's Encrypt that may be helpful in understanding the big-picture concept. Commented Jul 22, 2024 at 10:10
  • This cannot be explained like you're five. Commented Jul 23, 2024 at 6:38
  • 1
    @SteffenUllrich: "SSL/TLS does not expire" - well, until someone finds a vulnerability in it. Commented Jul 24, 2024 at 15:24

7 Answers 7

Reset to default
44

Certificate expiration is a security feature.

Over time, domains can change ownership, private keys can be compromised and certificates can be fraudulently issued. These events mean that we no longer want the certificate to be recognised as valid.

Historically, certificate revocation processes have been weak, although OCSP stapling has improved this.

For these reasons, having relatively short validity periods is helpful. The usual recommendation is 90 days.

As to why we need CA's, this is for authentication purposes.

Without a CA, you can have a key exchange process, but you don't know who you completed the key exchange with. It could be the legitimate site, or a MITM hacker. The certificate proves that you completed the key exchange with the valid owner of the domain.

Improve this answer
16
  • 2
    Excellent answer (+1). This begs the question: In this day in age, where we have automated certificate requesting / signing (e.g. ACME protocol), why do certificates even need to have durations of 90 days. Why not have certificates with durations of just a few days, or even shorter, so that revocation is a non-issue. Commented Jul 21, 2024 at 13:32
  • 6
    @mti2935 Because the shorter your validity period, the less resilient you are against infrastructure failures. OCSP is optional for TLS, but a general X.509 certificate is not. If OCSP is not working, your site will still work just fine, but if your certificate is no longer valid, your site is down as far as 99.99% of users are concerned. There are use cases where short validity periods do make a lot more sense (such as some types of code signing, where a certificate might even be created on-demand for each individual instance of needing to sign something), but HTTPS is not one of them. Commented Jul 21, 2024 at 21:53
  • 6
    @mti2935 The main downside is that there is more opportunity for things to go wrong. If you have a certificate that’s only valid for an hour, you need to rotate roughly 48 times a day (you need overlap between the old and new certificates, period, otherwise some users will run into issues), which translates to roughly 2879 more opportunities for things to go wrong than rotating a 90 day certificate every 60 days (the norm for ‘short-lived’ certificates). The theoretical benefits are not sufficient for that level of extra risk in a vast majority of cases. Commented Jul 22, 2024 at 2:20
  • 2
    A big +1 to this great answer. Although as someone pointed out on my answer, CAs can sometimes be untrustworthy (usually because of powerful governments,) like just take a look at one of Chinas biggest CAs… not to name names! Commented Jul 22, 2024 at 4:28
  • 2
    @AustinHemmelgarn: To add to reducing the opportunity for things to go wrong, we can also consider that someone may be using the same website for more than the shorter certificate timeframe - for example, by downloading a file that takes 2 hours to download on their connection. Requiring someone to request a new encryption key mid-download could be really complex, especially since they may need a checksum that now changes midway through the file download. Commented Jul 22, 2024 at 11:17
15

Your confusion is likely due to a misunderstanding (or at least, incomplete understanding) of what certificates are for. Yes TLS encrypts traffic between you and the server, but you can do that with just raw keys; you don't need the extra info in a certificate.

A certificate is an assertion from a trusted third party that that the holder really is who they say they are. For instance, this site presents a certificate from Let's Encrypt that says that the holder of its corresponding private key really does control the stackexchange.com domain. You (or at least your browser or OS vendor) trust Let's Encrypt to only issue certificates to the real owner of a domain (and they have strict compliance and auditing requirements to maintain that trust), and so you can trust that anyone who has a certificate for stackexchange.com really is the owner of that domain.

But just because that's the case now doesn't mean it always will be. StackExchange could be breached and the private key stolen. Or they could go bankrupt and not be able to continue paying for the domain registration. In those cases we would want the certificate to become invalid somehow since its assertion that the holder of its private key owns stackexchange.com is no longer true. There are ways to revoke a certificate, but they rely on someone taking explicit action.

But what if the private key leaks and the owner doesn't find out about it? Or a domain registration lapses and the new owner doesn't know what certificates were obtained by the old owner? In those cases, you need some mechanism for the old certificates to automatically become invalid. That's where having an expiration date helps. A private key that was stolen by a bad actor or simply retained by a previous owner automatically becomes useless after some time.

Improve this answer
7
  • @MartinKealey You're right, that was somewhat poorly worded and I've removed the public/private part. The point is that TLS doesn't need certificates for encryption; they're there for authentication. Commented Jul 22, 2024 at 0:10
  • 1
    @MartinKealey: Of course a single public-key pair can be used to secure traffic in both directions. For example, if an (Elliptic Curve) Diffie-Hellman key exchange is used, the client sends its (EC)DH parameters in the ClientHello, and the server sends its parameters in the ServerHello. By signing the hash of all exchanged messages (the transcript hash), the server authenticates its (EC)DH parameters, and the client can verify that the server has received the correct client parameters. In the end, both parties have an (EC)DH shared secret and can derive the same symmetric keys. Commented Jul 22, 2024 at 0:56
  • @ja1024 Of course can be used to secure the traffic in both directions in conjunction with a separate session key, but the statement was that it could be used to encrypt the traffic (implying alone, not with a session key). I should have phrased my response more carefully. Commented Jul 22, 2024 at 1:33
  • 1
    @MartinKealey: Asymmetric algorithms cannot be used to encrypt any traffic, because they’re limited to a few hundred bytes of data. So there’s always a symmetric key involved. In the old static RSA key exchange, the client encrypted a premaster secret with the server’s public key and sent it to the server. In modern key exchanges, the public key is only used to verify the signed transcript hash (which includes the server’s Diffie-Hellman parameters). Commented Jul 22, 2024 at 1:56
  • 1
    @MartinKealey: Your statement would be correct in a hypothetical purely asymmetric protocol where only tiny messages are exchanged. Then the client and server would each need a key pair. But this has nothing to do with TLS, nor does any real-world protocol use this approach, because it’s inefficient, slow and insecure. Commented Jul 22, 2024 at 1:57
12

Basically it's so that certificate revocation lists don't grow forever.

When a certificate is compromised it is put on a revocation list so that the compromised cetificate can't be used, in particular so that it can't be used to impersonate the owner.

If certificates lasted forever then the revocation list would grow forever and put an increasing burden on user's systems.

By expiring certificates there is no need to retain the revocation list entries forever, they only need to be remembered until the certificate expires.

Improve this answer
3
  • 1
    I've seen pretty gnarly sizes for govt-issued documents' revocation lists, as most e-IDs and passports are issued for 10 years. One I saw was 350MB in Dec 2020, but it has grown to 611MB since then. Commented Jul 24, 2024 at 12:58
  • @ave You can't remove the revocation data for expired certificates if they are used for non-interactive purposes, e.g. document and software signing, because you need to remember that items signed before a compromise date are legit and those after are not. Commented Jul 24, 2024 at 19:02
  • how is date of signature provable? Commented Jul 24, 2024 at 23:33
6

CAs and certificates aren't strictly necessary for TLS. They're by far the most common approach, but there are indeed alternatives.

When you perform a TLS handshake to set up a secure connection with example.com, then you generally want to make sure that the cryptographic parameters you're receiving (e.g., for a Diffie-Hellman key exchange) do in fact come from example.com. If you don't ensure this, then you still end up with a secure connection, but you have no idea if you're actually communicating with example.com. It might as well be a man-in-the-middle attacker who just pretended to be this website, injected her own parameters and can now read every request meant for example.com.

So an anonymous key exchange isn't very helpful. You need to make sure that the parameters actually belong to example.com and not a man-in-the-middle attacker.

The typical way to achieve this is to use a CA as a trusted third party. The server generates a key pair, sends the public key to the CA and proves that it controls the server behind example.com (or the domain itself). In return, the CA issues a signed certificate which cryptographically binds the public key to the domain name example.com. It's now possible for the server to sign their cryptographic parameters, and the client can verify the signature with the public key in the certificate.

The reasons for keeping certificates short-lived have already been explained by paj28, so I'm not going to repeat them.

However, as already mentioned in the beginning, certificates and CAs aren't strictly necessary. There are several other options.

  • If you can establish keys before the TLS connection, then you could use pre-shared keys or raw public keys. Neither require a certificate or a CA.
  • Public keys can be distributed through the Domain Name System, e.g., using DNS-based Authentication of Named Entities (DANE). Note that current browsers don't implement DANE (and probably won't in the near future).
  • You could use the trust-on-first-use approach (TOFU). When you initially connect to a server, you could simply accept the (raw) public key you get back and trust this key from now on. Of course this means the initial connection will be vulnerable to man-in-the-middle attacks, and it's your responsibility to keep the key up to date in case it's compromised or changed for other reasons.

Plenty of other approaches have been proposed, but those are mostly experimental and haven't gained too much attraction.

Improve this answer
3
  • 1
    For hoots and giggles, you can use a blockchain. Commented Jul 21, 2024 at 22:45
  • 2
    SRP was one of the more interesting alternative approaches. We could have had a world with no CAs and mutual authentication based on your password. Commented Jul 22, 2024 at 5:36
  • 2
    Every Certificate Transparency (CT) log is a blockchain Commented Jul 24, 2024 at 17:12
1

Why Do SSL/TLS Certificates Expire?

  1. Replaces compromised certificates If an attacker has gotten access to the certificate, then they can keep using it to MITM or for DNS Hijacking. But when the certificate expires, and a new one is used, the attacker can no longer do these malicious things, because they don’t have the new certificate.
  2. Implementing new cryptographic updates If a new cryptographic update is needed, then the only way to do this is to get a new, updated certificate. And to do this, the first one needs to expire.

This is quite an important point, and I think it is important that

Why do SSL/TLS Certificates need CA validation?

The role of CAs for SSL/TLS is vital. According to the official SSL website above, a CA’s digital certificate provides:

“Integrity of documents signed with the certificate so that they cannot be altered by a third party in transit.”

This is one of the main reasons that Cas are needed so bad. CAs are an independent party, who won’t be biased so therefore won’t modify the certificate in transit.

It would not be in a CA’s best interests to tamper, because they would face legal penalties, and lose business.

Although, it’s important to note, that not all big CAs can be trusted, also depending on your country of residence.

Powerful governments have been known to use CAs of their jurisdiction for bad.

Improve this answer
4
  • 4
    There are plenty of examples where CAs have engaged in all kinds of fishy behavior (like enabling man-in-the-middle attacks) or extreme sloppiness, so blind trust in CAs doesn’t seem warranted. I also haven’t heard of any serious legal consequences yet. Sure, they risk getting kicked out of the trust store and lose money, but that doesn’t seem to impress everybody. Commented Jul 21, 2024 at 23:52
  • 2
    @Ja1024 I never said that this never (or doesn't) happen, but it would be bad for a CA's reputation to be caught doing this, hence why most CAs are trusted. And also, often you don't have another choice. No security is perfect, and like previous questions on this site have mentioned, sometimes CAs are actually controlled/manipulated by the governing body of that country! Which is pretty crazy. But again, often CAs are better than alternatives, and one has to take the (small) risk. Commented Jul 22, 2024 at 0:03
  • You can't compromise a certificate, nor does it make sense for an attacker to get access to a certificate; it's already public. You can compromise a server's private key, however. Commented Jul 24, 2024 at 17:14
  • @Nayuki well yes, that is what was inferred, or at least what I assumed was inferred. Thanks. Commented Jul 25, 2024 at 5:13
0

Firstly, it's misleading to describe a certificate as “its purpose is to encrypt traffic”. Its purpose is to protect traffic, but not by being the key used to encrypt it.

A certificate comprises (among other things) an asymmetric key pair. Using this key pair to encrypt & decrypt network traffic would be awkward for a variety of technical reasons, but if you managed to jury-rig things to use one of the keys in a certificate to encrypt traffic, you would run up against a more fundamental problem: to be useful as a certificate, one half of its key pair has to be made public, and the other half must never be.

As a result, your jury-rigged encryption would only be useful in one direction:

  • traffic encrypted with a public key would only be readable by the end holding the corresponding private key; and conversely
  • encrypting traffic with a private key would be pointless (anyone holding the corresponding public key could read it).

You could of course work around this shortcoming by having a separate key pair for each direction, but nobody does that in practice, mostly because asymmetric encryption algorithms are far more costly than symmetric ones.

Rather, traffic is exchanged over a session protected by a symmetric cipher, whose key is ephemeral - it exists only for the duration of that session.

The certificate comes into play when proving the identify of (one of) the endpoints; in doing so it offers a secondary proof against a MITM attack.

As for why certificates expire: any certificate should have a limited lifetime because:

  1. over time there is an ever-increasing (cumulative) risk that the devices holding a private key may be compromised (and you can't use a compromised key to distribute its own replacement);
  2. they may be weakened (or completely defeated) by advances in cryptanalysis;
  3. an attacker might just get lucky and guess the key; and
  4. they will eventually be threatened by Moore's Law.

A certificate's lifetime is set such that there's an extremely small chance of any of these happening before it expires.

The same arguments for key apoptosis apply equally to symmetric encryption key and private keys, but ephemeral symmetric encryption keys generally have lifetimes that are many orders of magnitude shorter than certificates, so a more significant worry is that encrypted streams might be recorded by an eavesdropped and then decrypted using new cryptanalysis techniques possibly many years later.

Improve this answer
3
  • A lot of this makes no sense. A single certificate can definitely be used to secure traffic in both directions – this is what your browser and the Stack Exchange server are doing right now. The symmetric keys are not signed. And the lifetime of symmetric keys has nothing to do with the validity period of certificates, so why mention it? Commented Jul 22, 2024 at 0:22
  • @ja1024 does this read better? Commented Jul 22, 2024 at 7:15
  • Personally, I would skip everything before "The certificate comes into play ...", because the first part only explains what TLS doesn't do and what certificates are not used for -- which seems rather confusing and superfluous. Commented Jul 22, 2024 at 9:26
0

In a nutshell, SSL provides both encryption and authentication. The expiry is not related to or caused by the encryption, but rather the authentication.

Improve this answer
1
  • 1
    I'm not sure what this adds to the accepted answer. If you think an answer is helpful, upvote it, don't repeat it. Commented Jul 24, 2024 at 12:33

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.