hoakley October 2, 2021 Macs, Technology

Explainer: Security certificates

Considering how security certificates are supposed to ‘just work’, they get a lot of news coverage when they fall short. Only this last week, when a couple of certificates used by Let’s Encrypt expired, many users have been experiencing problems connecting to websites as a result. Yet every security certificate has an expiry date, so why should this always seem to cause problems?

Security certificates generally have two main purposes: identification, and provision of keys used for encryption and decryption. When used for some specific purposes, as in code signing certificates in macOS, the process of signing may support other purposes; in that case it’s accompanied by the calculation of cdhashes, which are used to verify the integrity of executable code by the macOS security system, and that’s why signing is required for all ARM native code running on Apple Silicon Macs.

In the rest of this article, I’ll focus on the use of security certificates for one of their most common purposes, in establishing a secure connection to a remote server using the HTTPS protocol, using Transport Layer Security (TLS), which long ago was known as the Secure Sockets Layer (SSL) and is still occasionally referred to incorrectly as being SSL.

A security certificate consists of a public key and the information required to identify its owner. The public key is part of a specially generated key pair, of which the owner keeps the private key a secret. When a certificate is used as part of an encryption protocol, the public key is used to encrypt data that need to be sent securely from client to server, and only the private key will enable its decryption.

brokencerts10

Identification of ownership relies on establishing a chain of trust going back to a Certificate Authority (CA), normally accomplished using three separate certificates. The trusted CA has a Root certificate which it signs; it then issues intermediate certificates that can be traced back to that Root certificate. At the end of the chain, a ‘leaf’, your security certificate, can be traced back to an intermediate, thus to the Root. If at any stage in that chain a certificate has expired or is not valid, then it invalidates all the security certificates from there out to the leaf.

Security certificates have a validity period determined by their not valid before and not valid after datestamps. That period is determined by the issuing Certificate Authority, and is normally long for Root and intermediate certificates, anything from 10-25 years, and shorter for individual leaf certificates, which are usually only valid for a year or two.

Like most operating systems, macOS comes with a set of standard trusted Root certificates stored in /System/Library/Keychains/SystemRootCertificates.keychain, locked down on the System volume, which are also documented for various versions of macOS in this article. Individual browsers may store their own; for example Mozilla’s Firefox are given here. You can also inspect security certificates stored in keychains using the Keychain Access app in the Utilities folder, and by clicking on the padlock at the left of the web address in the top of your browser.

When your browser tries to establish a secure HTTPS connection to a web server, it first has to ask the server for the privilege. Following that, it asks the server to identify itself using its security certificate, through a complex series of exchanges. The server sends the site’s certificate, and your browser should then check its validity. If that succeeds, your browser informs the server that it is happy to continue, completing the ‘handshake’ required to switch over to TLS. Sensitive information is then encrypted and transferred using HTTPS to the server.

Checking the validity of security certificates normally imposes a delay in the process of establishing the connection, thus the loading of the web page. To reduce the chances of that happening, browsers and operating systems try to store certificate information locally, in a database or cache. As with all such local stores, they run into trouble when the information they contain becomes out of date, and that’s likely to occur around the time that a certificate in the chain of trust expires by date. When that happens to a browser using its own cache for checking certificate validity, it can offer to work around the problem quite easily. In macOS, Safari and the WebKit underpinnings which are used by many third-party apps may not be so forgiving.

For Mac users, the biggest problems with expiring certificates haven’t occurred with websites, but when Apple’s certificates have gone out of date. As Apple is its own CA, this most commonly occurs with its intermediate certificates, and caused minor crises in February 2015, and again almost two years ago, when one of Apple’s intermediate and at least one user certificate expired on 24 October 2019. If you still have old Apple installers from before that date, they no longer work as their chain of trust is broken.

The good news is that, as far as the certificates Apple issues to third-party developers are concerned, it should be a while before we next run into problems with expiry. The rule applied to signatures on apps is that the signing certificate must have been valid at the time of signing, rather than the time of checking. So you’ll be able to carry on installing and using apps well after their signing certificate has expired.

Of more concern is Apple’s intermediate certificate against which code signing certificates are verified. For third-party apps, that doesn’t expire until 2027. That will be something to look forward to.

14Comments

Add yours

1

Ed on October 2, 2021 at 10:15 am

I don’t understand how caching can be the culprit. Obviously the expiration dates are stored with the certificates, or they would never expire at all. So why then can’t or won’t they check for new certificates upon expiry and automatically replace the old info? At *least* when it’s an intermediate certificate. Yes it’s a system service, but so what: just ask the user for an administrator password if you must (and I don’t think it should for intermediates!).

LikeLiked by 1 person
- 2
  
  hoakley on October 2, 2021 at 8:25 pm
  
  Thank you.
  I welcome better explanations, please. I don’t know why macOS doesn’t perform a fuller check and spot the updated certificates, although some of that may be because the web server hasn’t been properly configured. Let’s Encrypt gives the impression that there’s next to nothing involved, but others reckon that’s not (always) true.
  Howard.
  
  LikeLiked by 1 person
  - 3
    
    Ed on October 3, 2021 at 7:29 am
    
    Thanks. Unfortunately, and perhaps not unexpectedly, I do not have a better explanation. I agree with your analysis that caching must be at least part of the problem, and then I guess I was just throwing my hands up in the air about the deeper why.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on October 3, 2021 at 7:12 pm
      
      More coming tomorrow (Monday) morning, as I’ve completed my log analysis and present it then.
      Howard.
      
      LikeLiked by 1 person
5

Al on October 2, 2021 at 12:21 pm

So we nead an option in OS to completely disable certificate checking so we can use older or unsignes software/websites.
The problem with certificates will have significant consequences in the future, when most of the current certificates will expire. Developers will stop signing newer versions of apps and the older ones will not work. And some developers will diminish.
Privacy and security is a good thing but users should have the option to completely disable all kinds of system protection.

LikeLiked by 1 person
- 6
  
  hoakley on October 2, 2021 at 8:31 pm
  
  Leaf certificates typically only last a year, so the system copes with their frequent change. Where it seems to struggle is when intermediate and root certificates change. Disabling checking altogether only exposes the user to greater risk. It’s much better to get certificate changes working properly.
  Because app signatures work differently, their expiration isn’t a problem. What’s important with them is that the signature was still valid at the time the app was signed, which allows them to last indefinitely, subject to Apple’s intermediate and root certificates, which last very much longer.
  Giving users the option to disable all kinds of system protection is like giving them a loaded revolver. It would be catastrophic – talk to those who support third-party security products.
  Howard.
  
  LikeLike
7

Tristan Hubsch on October 2, 2021 at 12:57 pm

As you hint, it’s not just browsers: Mid-September CISCO’s “AnyConnect” VPN software (mandated by my employer) was labeled as “will damage your computer” but could not be moved to Trash because it was already open (at start-up). Yes, there are ways to start up macOS without the start-ups loading, remove the darn thing, then restart as usual, but we are talking about folks who’s computer expertise often peaks at routinely perusing Micro$oft Word and Excel. And the IT Department? Well, leave it to Mr. Murphy to orchestrate this happening exactly in the weeks my institution was hit by a (completely unrelated) ransomware attack; our IT department was “otherwise engaged,” waaay over their head.

So, yes (as Al suggests): some (preferably very user-friendly) way of stepping out of such catch-22 situations would be VERY WELCOME!.

LikeLiked by 1 person
- 8
  
  hoakley on October 2, 2021 at 8:32 pm
  
  I’m sorry to hear that. What does CISCO say?
  Howard.
  
  LikeLike
9

Rocky on October 2, 2021 at 8:11 pm

Hypothetical:
December 1 – MacOS Monterey 12.1 released with user option to disable security certificate checking.
December 2 – Hackers release tools to disable security certificate checking through advertising-delivered malware. Millions of unsophisticated users click through “Are you sure…” warnings. Chaos follows – human sacrifice, dogs and cats living together…

In other words, be careful what you ask for.

LikeLiked by 1 person
- 10
  
  hoakley on October 2, 2021 at 8:37 pm
  
  Thank you. I suspect that the tools would be released during beta-testing. Hackers do betas too!
  Howard.
  
  LikeLike
11

Jacques Distler on October 5, 2021 at 5:34 am

Webkit refuses to trust a leaf certificate with a duration longer 398 days (same with Mozilla, Chrome and every other browser vendor). LetsEncrypt’s leaf certificates expire after 90 days.

That’s not a big deal, if the server has automated the process of renewing your certificates. And it’s totally transparent on the client side.

The problem with LetsEncrypt was the expiration (at the end of September) of the Root Certificate which originally signed their Intermediate Cert. LONG before then their Intermediate Certificate was crossed-signed by a NEW Root Certificate, which IS in the Trust-Store on all my Apple devices.

Nonetheless, all hell broke loose on my Apple devices on Sept 30. Why? Because the cached version of the LetsEncrypt Intermediate Cert didn’t have the cross-signature and there seemed to be NOTHING I could do to convince macOS/iOS/… to download a new version of the Intermediate Cert.

This is a ridiculous bug in Apple’s TLS framework. Just as leaf certificates expire (and so Webkit doesn’t try to cache them past their expiration date), so (eventually) does everything else in the certificate chain. It makes no sense to cache stale data, when you KNOW it’s stale. So every sensible TLS client (i.e., everything that didn’t use Webkit) re-downloaded the certificate chain well before Sept 30 and experience no hiccups. All the Apple Apps (Safari, Mail, Calendar, Contacts, …) broke.

Of course, things would only have been worse if the new Root Certificate was absent from the Trust-Store on the locked System Volume.

LikeLiked by 1 person
12

Michael Tsai - Blog - Some Web Sites Will Stop Working With El Capitan and Older on October 8, 2021 at 8:56 pm

[…] Howard Oakley: […]

LikeLike
13

Larry on October 28, 2021 at 3:22 am

I am lost and need help about IdentTrust certificate. I don’t know how to fix it on my own. I’m using El Capitan. I called Apple of course their solution to upgrade at least to Mojave. I don’t want to upgrade. I’m getting the same NET::ERR_CERT_DATE_INVALID on several browsers, not only Chrome

LikeLiked by 1 person
- 14
  
  hoakley on October 28, 2021 at 11:26 am
  
  I’m sorry to hear that. This is yet another root certificate expiry, as explained here. If you go that link, you’ll see that it has download link for the replacement certificate. Download that, and import it into your keychain using Keychain Access (double-clicking on the certificate should do that for you). Ensure that you mark it Trust Always. That should ensure that sites relying on that root should load correctly.
  I wish you success.
  Howard.
  
  LikeLike