Resetting certificates

Web site certification supports the key exchange enabling secure encrypted communication between browser clients and server applications. This is why industry giant Google launched a campaign in 2014 that all web applications should use a browser-recognised certificate authority (CA) and offer encrypted access. In practice Google proposes that all website URLs should begin with the encrypted protocol https://, rather than the identifier for the unencrypted alternative protocol http://. While Longevitas applications have always offered only encrypted access, since our version 2.8 release you might have noticed a change in how we certify our web applications and services, and this blog is a brief explanation of what we've done and why.

Traditionally we used a standard CA by the name of Thawte. In addition to providing the certificate necessary for encryption, certification authorities exist to provide domain validation (DV) checking, confirming, at a base level, that the owner of the certificate owns the website domain it is attached to. The option of more detailed third-party identity confirmation - often called extended validation (EV) - was thought to be valuable for companies dealing with a broad consumer population, but are increasingly de-emphasised by major browser vendors. In any case, an important feature of DV certificates are that after setup the necessary checks can be automated, and so certificates can be renewed more quickly while EV checking will invariably incur delays and human involvement each time. Thawte (now owned by DigiCert) is a traditional CA, offering both DV and EV certificates on an annually renewable basis.

One notable impact of annual renewability is that keys and certificates must be maintained for at least a year, and a traditional CA will offer price incentives for longer term renewals. If some aspect of website certification or keying were to be disclosed for any reason, that more or less guarantees a lengthy time window will exist for any leaked information to be misused. This longer-than-necessary exposure is undesirable and so we took the business decision to move all of our 2.8 services to use the open and automated CA Let's Encrypt. With Let's Encrypt, it is more typical to see servers automatically re-keyed and re-certified every 60-90 days, drastically closing the window for misuse in the event of disclosure. If you use our services and you see the following logo on your login page, we have already made the move.

Bottom line: this is a technical change and no further user action is required. But online security is like that - a continual process of small technical adjustments. Maintaining defence in-depth means where an opportunity arises to improve something, that opportunity should be taken. So that's exactly what we did.