parallax background

About SSL-certificates history

There are constant changes in certificate technology due to various emerging data threats and software development. Below you can read a few extracts related to the creation, history and development of certificates.

These may help to understand why certificates are needed and why it matters from which Certificate Author the certificate is obtained.

  • 1994

    Entrust sells its first PKI solution, which enables key and certificate management and encryption.

    Netscape developed the first viable version of SSL, SSL v2. Already a year later, this version was "shot down" due to bad security problems and SSL v3 was born.
  • 1999

    Peaceful life was enough until 1999, when e.g. The entry of Microsoft caused a new naming convention and TLS v1.0 was born.
  • 2001

    In 2001, VeriSign encountered problems after someone was able to obtain a fake code signing certificate from it under the name of Microsoft.
  • 2006

    TLS v1.1 is born, which, among other things, took a stand on the BEAST vulnerability, although this vulnerability only came to the attention of the larger public five years later.
  • 2007

    The importance and development of certificates has accelerated throughout their existence and a higher level of security, Extended Validation (EV), certificates are generated.
  • 2008

    The year 2008 saw interesting vulnerabilities and abuses in issuing certificates (a fake certificate was obtained for the service, StartCom and CertStar had an incomplete verification that allowed the acquisition of fake certificates).

    In the same yearTLS v1.2 got its start.
  • 2009

    SSL Labs, which publishes tools for the development of better network security is started. The same year also includes at least three vulnerabilities/exploitation methods: Insecure renegotiation, sslstrip and NUL byte attacks.
  • 2010

    Google activates to improve the security of network traffic and implements HSTS, SPDY and False Start technologies, which improve the efficiency of SSL/TLS network traffic. The same year also coincides with the nasty wolf in sheep's clothing, Firesheep, which enabled the easy snooping of non-protected traffic.
  • 2011

    There was an official effort to get rid of SSL v2, but was it completely successful? Maybe not. For the same year, a few failures occurred again with certificate providers. Diginotar was hacked once more and Comodo's certificates were also successfully hijacked. Fortunately, these were noticed in time and Comodo revoked the certificates.

    Google implemented the Public Key Pinning function for the sites it owns, and over the years this has helped to find several fake companies.

    The BEAST attack came to the fore and became public in one fell swoop. Google is implementing the Forward Secrecy feature.
  • 2012

    Chrome stops checking certificate revocation lists. However, suppliers developed their own methods in order to ensure the revocation of certificates.

    HTTP/2 gets a budding baptism and the discussion around it accelerates. SSL Labs publishes the SSL Pulse service, which can be used to monitor the development of sites. This service provides a statistical view of Internet sites and their security level.

    The flames are also burning after the discovery of the FLAME malware in Iran. State actors are probably behind this.

    Microsoft starts blocking keys weaker than 1024 RSA. HSTS, CSP are coming up significantly. The darker news is CRIME, as well as TurkTrust, which had accidentally issued CA certificates to end users.

    CA/Browser Forum publishes the so-called Baseline Requirements guidelines that all CAs must follow.
  • 2013

    Google publishes Certificate Transparency logging, which enables the export of issued certificates to public registries.

    LUCKY 13's attack method surfaces and RC4 receives a death blow in light of new research. However, it will take a few more years before this is realized in practice. Edward Snowden steps forward and makes a historic revelation about the NSA's snooping apparatus.

    vTLS 1.3 development begins.

    NSA and GCHQ have developed Bulrun and Edgehill methods to weaken encryption.

    Safari and IE11 start supporting TLS v1.2. Google starts using ChaCha20-Poly1305 TLS, later this will be standardized for wider use.

    ANSSI CA is limited to issuing certificates only for the French region, this is because Google Public Key Pinning detects fake certificates issued by them.
  • 2014

    RSA 2048 will become the standard when RSA 1024 is retired. The old root and intermediate certificates are still allowed to continue with 1024.

    Firefox joins Safari and IE11 in supporting TLS v1.2.

    The Triple Handshake Attack research is coming to light and TLS renegotiation needs to be reconsidered.

    HEARTBLEED in the OpenSSL Project brings vulnerabilities to the attention of the entire nation and creates a record amount of publicity and buzz among those working with certificates. On the good side, HEARTBLEED brings additional funding to the project from large organizations, and its development and repair gets a new boost. HEARTBLEED has been hiding in the project for over 20 years, perhaps this bloodshed paid off.

    Google develops its own version of OpenSSL, BoringSSL and starts transfer Chromium to it.

    NIC India frowns on issuing fake certificates and Chrome restricts the use of these root certificates to Indian domains only.

    LibreSSL gets its start inspired by HEARTBLEED Ivan Ristic publishes his Bulletproof SSL and TLS book, from which you can familiarize yourself with the updated version < i>here.
  • 2015

    LOGJAM starts 2015 and SUPERFISH, a vulnerability found in Lenovo laptops, surfaces right after. The problem was a hard-coded root certificate, with the private key of which any owner of the corresponding machine could build a working attack on the corresponding devices. This was immediately followed by Komodia and PrivDog, similar vulnerabilities.

    The IETF publishes RFC 7465 to officially ban the RC4 Cipher suite, which has been found to be weak.

    CNNIC grants a short-term Subordinate CA for test use, which was exploited. As a result, both Google and Mozilla disable CNNIC roots.

    LIVE.FI gets hit when Microsoft forgets to lock its admin email and the Finnish IT manager gets a certificate for it on wrong grounds. However, this was a benevolent act and the certificate was not used for wrong purposes.

    Firefox publishes OneCRL for certificate revocation. Before this, Firefox's only way to disable certificates was through software updates.

    Microsoft introduces the Certificate Reputation feature, Windows 10 samples the certificates encountered by users and forwards them to website owners through the Bing webmaster program.

    SMACK and FREAK vulnerabilities appear.

    Firefox drops insecure TLS Fallbacks.

    HTTP Public Key Pinning, after years of debate, publishes RFC 7469, which allows protection against forged from certificates.

    Security protocol TLS Fallback SCSV is released (RFC 7507) to protect against downgrade attacks, both Firefox and Chrome support it , but Microsoft is left out of the bandwagon. Google is starting to require EV certificates to be published in certificate transparency logs.

    HTTP/2 is published (RFC 7540), this has already been expected. All browser manufacturers have decided to release HTTP/2 with a secure protocol, even though HTTP/2 itself does not require it.

    SSL v3 is put on the ice accompanied by POODLE.

    Let's Encrypt is released, this enables the automation of certificate searches, for free.
  • 2016

    Most browsers remove support for the vulnerable RC4 suite.

    SHA1 certificates are no longer issued.

    With the release of (RFC 7748), the Crypto Forum Research Group (CFRG) publishes two new ECC methods for standardization .

    SLOTH (Security Losses from Obsolete and Truncated Transcript Hashes), CVE-2015-7575) study shows how many applications still use (client and server) insecure RSA-MD5 signatures.

    Firefox 45 improves the handling of the certificate blacklist. However, the most important new feature is the Must-Staple feature, for certificates stapled with a fresh OCSP counterpart.

    DROWN again drowned the hope of clearer waters for surfing the Internet. Researchers publish DROWN exploit method against SSL v2.0. What makes the finding depressing is that, according to the estimate, approx. 33% of servers were exposed to this at the time of publication.

    Chrome stops all TLS fallback functions. This change is important because it reduces the possibility of man-in-the-middle attackers to drop a protected connection to a lower security level. Google is also deprecating RC4 and SSLv3 and adopting HSTS. Everything looks beautiful at this point in July until SWEET32 shows how vulnerable the commonly used BLOWFISH and 3DES ciphers are.
  • 2017

    Trust in SHA-1 certificates ended in February 2017. The schedule was sped up when it was noticed that the computing power in devices has grown so dramatically that even criminals are beginning to have the opportunity to acquire the necessary devices. SHA-2 has made its income for a long time and also caused reasonably high costs with hardware renewals. Maybe we can catch a breath before the next threat rises from the ashes. Or is it already at the door? The superior performance of quantum computers in calculations may make a dent in this point as well.

    Major changes have also occurred on the CA front. Its current market leader, Symantec, was badly hit after giving its partners the right to independently verify and issue certificates. This led to several abuses and eventually Google getting "pissed off" and blacklisting Symantec. In practice, this led to the fact that Symantec's various brand certificates were no longer trusted. Digicert added to this mix, which ended up buying Symantec's certificate business.

    ROBOT Attack will become public at the end of 2017. This goes back to 1998, when Daniel Bleichenbacher (Bleichenbacher side channel) discovered a vulnerability that allows Performing RSA decryption and signing operations with the TLS server's private key.
  • 2018

  • 2019

    The Automatic Certificate Management Environment (ACME) is standardized and published (RFC 8555).

    Google announces that Gmail will implement MTA-STS , which is practically the e-mail equivalent of the HTTP Strict Transport Security standard.

    Chrome and Firefox remove the visual highlight, which indicated with a green address bar in the browser, if an EV certificate was used on the site.
  • 2020

    A Shambles attack targeting the SHA-1 hash function is found.

    TLS 1.0 and 1.1. disabled in browsers. In September 2020, a change will come into effect, with which Apple will no longer accept certificates with a lifetime of more than 398 days. Chrome, Mozilla and Microsoft are following and therefore CAs are forced to change their policies.

    Researchers publish a bulletin about the Raccoon attack vulnerability they discovered, which allows breaking an encrypted connection from TLS 1.2 and earlier TLS protocols in exploitative environments.

  • 2021

    The Internet Engineering Task Force (IETF) publishes RFC 8996 with which TLS 1.0 and 1.1 are deprecated because the vulnerabilities that appeared in them have been found to be irreparable.

    Chrome defaults to https:// for sites to its controls, thus improving the information security of browsers.