{"id":2513,"date":"2019-11-01T06:01:16","date_gmt":"2019-11-01T13:01:16","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2513"},"modified":"2019-10-31T11:55:31","modified_gmt":"2019-10-31T18:55:31","slug":"validating-delegated-credentials-for-tls-in-firefox","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2019\/11\/01\/validating-delegated-credentials-for-tls-in-firefox\/","title":{"rendered":"Validating Delegated Credentials for TLS in Firefox"},"content":{"rendered":"

At Mozilla we are well aware of how fragile the Web Public Key Infrastructure (PKI) can be. From fraudulent Certification Authorities (CAs) to implementation errors that leak private keys, users, often unknowingly, are put in a position where their ability to establish trust on the Web is compromised. Therefore, in keeping with our mission<\/a> to create a Web where individuals are empowered, independent and safe, we welcome ideas that are aimed at making the Web PKI more robust. With initiatives like our Common CA Database (CCADB)<\/a>, CRLite<\/a> prototyping, and our involvement in the CA\/Browser Forum<\/a>, we\u2019re committed to this objective, and this is why we embraced the opportunity to partner with Cloudflare to test Delegated Credentials for TLS in Firefox, which is currently undergoing standardization at the IETF.<\/a><\/p>\n

As CAs are responsible for the creation of digital certificates, they dictate the lifetime of an issued certificate, as well as its usage parameters. Traditionally, end-entity certificates are long-lived, exhibiting lifetimes of more than one year. For server operators making use of Content Delivery Networks (CDNs) such as Cloudflare, this can be problematic because of the potential trust placed in CDNs regarding sensitive private key material. Of course, Cloudflare has architectural <\/a>solutions<\/a> for such key material but these add unwanted latency to connections and present with operational difficulties. To limit exposure, a short-lived certificate would be preferable for this setting. However, constant communication with an external CA to obtain short-lived certificates could result in poor performance or even worse, lack of access to a service entirely.<\/p>\n

The Delegated Credentials mechanism decentralizes the problem by allowing a TLS server to issue short-lived authentication credentials (with a validity period of no longer than 7 days) that are cryptographically bound to a CA-issued certificate. These short-lived credentials then serve as the authentication keys in a regular TLS 1.3 connection between a Firefox client and a CDN edge server situated in a low-trust zone (where the risk of compromise might be higher than usual and perhaps go undetected). This way, performance isn\u2019t hindered and the compromise window is limited. For further technical details see this excellent blog post by Cloudflare<\/a> on the subject.<\/p>\n

See How The Experiment Works<\/h2>\n

We will soon test Delegated Credentials in Firefox Nightly via an experimental addon, called TLS Delegated Credentials Experiment<\/b>. In this experiment, the addon will make a single request to a Cloudflare-managed host which supports Delegated Credentials. The Delegated Credentials feature is disabled in Firefox by default, but depending on the experiment conditions the addon will toggle it for the duration of this request. The connection result, including whether Delegated Credentials was enabled or not, gets reported via telemetry to allow for comparative study. Out of this we\u2019re hoping to gain better insights into how effective and stable Delegated Credentials are in the real world, and more importantly, of any negative impact to user experience (for example, increased connection failure rates or slower TLS handshake times). The study is expected to start in mid-November and run for two weeks.<\/p>\n

For specific details on the telemetry and how measurements will take place, see bug 1564179<\/a>.<\/p>\n

See The Results In Firefox<\/h2>\n

You can open a Firefox Nightly or Beta window and navigate to about:telemetry<\/b>. From here, in the top-right is a Search box, where you can search for \u201cdelegated<\/b>\u201d to find all telemetry entries from our experiment. If Delegated Credentials have been used and telemetry is enabled, you can expect to see the count of Delegated Credentials-enabled handshakes as well as the time-to-completion of each. Additionally, if the addon has run the test, you can see the test result under the \u201cKeyed Scalars<\/b>\u201d section.<\/p>\n

\"Delegated<\/a>

Delegated Credentials telemetry in Nightly 72<\/p><\/div>\n

You can also read more about telemetry, studies, and Mozilla\u2019s privacy policy by navigating to about:preferences#privacy<\/b>.<\/p>\n

See It In Action<\/h2>\n

If you’d like to enable Delegated Credentials for your own testing or use, this can be done by:<\/p>\n

    \n
  1. In a Firefox Nightly or Beta window, navigate to about:config<\/b>.<\/li>\n
  2. Search for the \u201csecurity.tls.enable_delegated_credentials\u201d<\/b> preference – the preference list will update as you type, and \u201cdelegated\u201d is itself enough to find the correct preference.<\/li>\n
  3. Click the Toggle button to set the value to true<\/b>.<\/li>\n
  4. Navigate to https:\/\/dc.crypto.mozilla.org\/<\/a><\/li>\n
  5. If needed, toggling the value back to false<\/b> will disable Delegated Credentials.<\/li>\n<\/ol>\n

    Note that currently, use of Delegated Credentials doesn\u2019t appear anywhere in the Firefox UI. This will change as we evolve the implementation.<\/p>\n

    We would sincerely like to thank Christopher Patton<\/a>, fellow Mozillian Wayne Thayer, and the Cloudflare team, particularly Nick Sullivan and Watson Ladd for helping us to get to this point with the Delegated Credentials feature. The Mozilla team will keep you informed on the development of this feature for use in Firefox, and we look forward to sharing our results in a future blog post.<\/p>\n

     <\/p>\n

     <\/p>\n

     <\/p>\n","protected":false},"excerpt":{"rendered":"

    At Mozilla we are well aware of how fragile the Web Public Key Infrastructure (PKI) can be. From fraudulent Certification Authorities (CAs) to implementation errors that leak private keys, users, … Read more<\/a><\/p>\n","protected":false},"author":1725,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[320796,69,45499],"tags":[327150,19537,45499],"coauthors":[327147,45540,447602],"yoast_head":"\nValidating Delegated Credentials for TLS in Firefox - Mozilla Security Blog<\/title>\n<meta name=\"description\" content=\"Firefox is testing Delegated Credentials for TLS, letting networks generate their own short-lived certificates, intended for low-security webservers.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2019\/11\/01\/validating-delegated-credentials-for-tls-in-firefox\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kevin Jacobs, J.C. Jones, Thyla van der Merwe\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2019\/11\/01\/validating-delegated-credentials-for-tls-in-firefox\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2019\/11\/01\/validating-delegated-credentials-for-tls-in-firefox\/\",\"name\":\"Validating Delegated Credentials for TLS in Firefox - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2019\/11\/01\/validating-delegated-credentials-for-tls-in-firefox\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2019\/11\/01\/validating-delegated-credentials-for-tls-in-firefox\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2019\/11\/DelegatedCredentialsTelemetry-252x196.png\",\"datePublished\":\"2019-11-01T13:01:16+00:00\",\"dateModified\":\"2019-10-31T18:55:31+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/70f5c1fa80b570beb3471f1bd0ab52d1\"},\"description\":\"Firefox is testing Delegated Credentials for TLS, letting networks generate their own short-lived certificates, intended for low-security webservers.\",\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2019\/11\/01\/validating-delegated-credentials-for-tls-in-firefox\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2019\/11\/01\/validating-delegated-credentials-for-tls-in-firefox\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2019\/11\/01\/validating-delegated-credentials-for-tls-in-firefox\/#primaryimage\",\"url\":\"https:\/\/blog.mozilla.org\/security\/files\/2019\/11\/DelegatedCredentialsTelemetry.png\",\"contentUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2019\/11\/DelegatedCredentialsTelemetry.png\",\"width\":1392,\"height\":1085,\"caption\":\"Delegated Credentials telemetry in Nightly 72\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2019\/11\/01\/validating-delegated-credentials-for-tls-in-firefox\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Validating Delegated Credentials for TLS in Firefox\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/70f5c1fa80b570beb3471f1bd0ab52d1\",\"name\":\"Kevin Jacobs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/8cfc33caf633741f18861dfce24d10d3\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/728c05cda6abbaa330d7045b9ecd123f?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/728c05cda6abbaa330d7045b9ecd123f?s=96&d=identicon&r=g\",\"caption\":\"Kevin Jacobs\"},\"description\":\"Cryptography Engineer at Mozilla\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Validating Delegated Credentials for TLS in Firefox - Mozilla Security Blog","description":"Firefox is testing Delegated Credentials for TLS, letting networks generate their own short-lived certificates, intended for low-security webservers.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2019\/11\/01\/validating-delegated-credentials-for-tls-in-firefox\/","twitter_misc":{"Written by":"Kevin Jacobs, J.C. Jones, Thyla van der Merwe","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2019\/11\/01\/validating-delegated-credentials-for-tls-in-firefox\/","url":"https:\/\/blog.mozilla.org\/security\/2019\/11\/01\/validating-delegated-credentials-for-tls-in-firefox\/","name":"Validating Delegated Credentials for TLS in Firefox - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.mozilla.org\/security\/2019\/11\/01\/validating-delegated-credentials-for-tls-in-firefox\/#primaryimage"},"image":{"@id":"https:\/\/blog.mozilla.org\/security\/2019\/11\/01\/validating-delegated-credentials-for-tls-in-firefox\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.mozilla.org\/security\/files\/2019\/11\/DelegatedCredentialsTelemetry-252x196.png","datePublished":"2019-11-01T13:01:16+00:00","dateModified":"2019-10-31T18:55:31+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/70f5c1fa80b570beb3471f1bd0ab52d1"},"description":"Firefox is testing Delegated Credentials for TLS, letting networks generate their own short-lived certificates, intended for low-security webservers.","breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2019\/11\/01\/validating-delegated-credentials-for-tls-in-firefox\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2019\/11\/01\/validating-delegated-credentials-for-tls-in-firefox\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/2019\/11\/01\/validating-delegated-credentials-for-tls-in-firefox\/#primaryimage","url":"https:\/\/blog.mozilla.org\/security\/files\/2019\/11\/DelegatedCredentialsTelemetry.png","contentUrl":"https:\/\/blog.mozilla.org\/security\/files\/2019\/11\/DelegatedCredentialsTelemetry.png","width":1392,"height":1085,"caption":"Delegated Credentials telemetry in Nightly 72"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2019\/11\/01\/validating-delegated-credentials-for-tls-in-firefox\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Validating Delegated Credentials for TLS in Firefox"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/70f5c1fa80b570beb3471f1bd0ab52d1","name":"Kevin Jacobs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/8cfc33caf633741f18861dfce24d10d3","url":"https:\/\/secure.gravatar.com\/avatar\/728c05cda6abbaa330d7045b9ecd123f?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/728c05cda6abbaa330d7045b9ecd123f?s=96&d=identicon&r=g","caption":"Kevin Jacobs"},"description":"Cryptography Engineer at Mozilla"}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2513"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/1725"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2513"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2513\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2513"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2513"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2513"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2513"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}