Advisory – HTTPS and TLS Site Certificate Status | Information Security and Enterprise Architecture

New Mar. 12, 2018

The use of the HTTPS protocol on websites has become increasingly ubiquitous in the last few years and is soon about to become the norm for all websites. Google has planned for some time to configure the Chrome browser to label HTTP (unencrypted network connection) sites as ‘insecure’. They will implement that change in July 2018. According to some sources, the Chrome browser has a 56% market share of all browsers, so this change will be noticed by a great many users. See below for recommendations and information regarding HTTPS and Transport Layer Security (TLS) as well as further plans to improve the security of digital certificate usage.

Recommendations

Based on the Google changes discussed above, ISEA recommends that all University websites be configured to support HTTPS. It is not good practice to subject users to continuous browser security labels which soon will be ignored. User awareness and education on issues of information security is a key mitigation to the risk of malware/phishing/ fraudulent activity so it is important to ensure messaging tools not be ignored.

Information for Website Administrators

The University’s TLS digital certificate re-selling service provides certificates at no charge. See: https://isea.utoronto.ca/services/pki-certificates/
For divisions/departments who wish to manage the lifecycle of digital certificates, ISEA can configure delegated management for specific domains.

Planning for Certificate Authority Authorization (CAA)

Recently, a new feature (described in RFC 6844) which uses DNS records to list approved Certificate Authorities for domains has come into effect in the CA industry. Public Certificate Authorities are required to honour the contents of that DNS record – if a CA is not listed in the record, it is not allowed to issue a certificate for that domain. This feature provides an additional measure of authentication and validation for the certificates used by an organization.

ISEA is beginning to investigate the implementation of CAA at the University and invites comments to security.admin at utoronto.ca.

More Information

Chrome Browser change:

https://www.theregister.co.uk/2018/02/08/google_chrome_http_shame/

https://blog.chromium.org/2018/02/a-secure-web-is-here-to-stay.html

CAA info:

https://support.comodo.com/index.php?/Knowledgebase/Article/View/1204/1/caa-record—certification-authority-authorization