New Facebook-backed Delegated Credentials protocol aims to make the web safer
Facebook Inc., Cloudflare Inc. and the Mozilla Foundation today detailed their work on Delegated Credentials, a new security protocol that they hope will make the web safer from hackers.
Delegated Credentials complements TLS, the ubiquitous encryption technology that sites use to establish a secure connection with browsers. TLS relies on a technique known as asymmetric encryption to work. It’s a tried-and-tested method of protecting data from prying eyes, but when it comes to delivering web content, the approach has certain shortcomings that Delegated Credentials aims to address.
TLS’s asymmetric encryption scheme allows a browser to verify that a site is legitimate by requesting a digital certificate. That certificate, in turn, can be generated only by the real site operator using a unique private encryption key assigned to them. But if hackers somehow steal the private key, they can exploit it to impersonate the service and intercept user traffic.
That scenario is an especially big concern for large site operators such as Facebook. The social network is visited by billions of users every month and processes traffic with thousands of web servers, every single one of which has a copy of its private key. An attacker would theoretically need to compromise just one server to gain the ability to impersonate Facebook.
Enter Delegated Credentials. Rather than putting the private key on a company’s servers, the technology uses it to generate a set of new keys that are distributed to the servers instead. The private key is thus kept outside the reach of any attackers who might breach the network.
The keys distributed by Delegated Credentials can theoretically be abused too, but they have one big advantage: a shorter expiration date. Whereas sites today can change their private key only every few months or annually due to technical constraints, Delegated Credentials makes it possible to do so every few hours. That significantly shrinks the window hackers have to cause damage.
“Certificates are valid only for a certain amount of time, after which they expire and browsers will reject them,” Facebook engineers Subodh Iyengar, Kyle Nekritz and Alex Guzman explained. “This way, we’ve limited how long a potential attacker could have access to a certificate before browsers reject it.”
Delegated Credentials has another, more strategic benefit: It might make it easier for companies to protect themselves from quantum encryption cracking.
It’s believed that quantum computers will one day become powerful enough to overcome current cryptographic technologies like TLS. In response, researchers have started working on a new, more resistant generation of encryption algorithms. Delegated Credentials enables site operators to implement new encryption algorithms on their servers with less effort than what the task requires today, which could ease the internet’s transition to the quantum era.
Facebook, Cloudflare and Mozilla have contributed the protocol to the Internet Engineering Task Force to turn it into an industry standard.
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.