Apple Improves SSL/TLS Support in Latest Operating Systems

August 7, 2017 | By Kimberly Reynolds

At the annual Worldwide Developers Conference (WWDC 2017), in San Jose, California, Apple announced major updates to operating systems for its various devices – High Sierra for iOS, macOS, watchOS, and new hardware such as new iPad Pro and HomePod smart speaker. Apple made significant mention of advancements in network security standards – SSL/TLS support and cryptographic libraries.

SSL/TLS Support Enhancements

Apple to End Support for SHA-1 Signed Certificates

Considering the vulnerabilities in SHA-1 Signed Certificates, many browsers have stopped support/recognition for these certificates. Apple is following suit and will be ending SHA-1 support in the new operating systems. However, SHA-1 signed root certificates will continue to be supported. Further, private keys less than 2048-bits will also no longer be trusted. Client certificates and SSL certificates shared through Mobile Device Management will continue to be supported.

Support for TLS 1.3

In February 2017, Mozilla enabled TLS 1.3 by default in its Firefox web browser. Google Chrome had enabled TLS 1.3 but disabled it after a short period due to compatibility issues. The Internet Engineering Task Force (IETF) has not yet finalized the TLS 1.3 draft. Apple announced that it would provide support for the TLS 1.3 draft specification in High Sierra and iOS 11. This will enable developers to test TLS 1.3. Notably, Apple mentioned that TLS 1.3 offered a drastically faster handshake time that was just a third of existing TLS connection speeds.

SSL Certificate Error User Interface

Apple has redesigned the certificate viewer’s certificate error User Interface (UI) in High Sierra and in Safari. A typical certificate error UI will contain SSL-related technical terms such as signature, protocol, etc…, However, the new UI is easier to understand even for non-technical users as Apple has done away with such technical sounding SSL-related terms. The certificate viewer also displays more descriptive messaging relating to the reason why the certificate is not being trusted. This enhanced feature would be quite useful in quickly understanding the reason behind why the SSL certificate had not been trusted.

SSL Revocation Checking

Apple has introduced a new revocation checking method. Considering the issues being faced in checking for revocation of certificates, it can be considered that this enhancement is being introduced at the right time. Some experts have questioned the revocation process currently being used – from the time of discovering that the SSL certificate has been compromised to contacting the Certificate Authority for revoking and then communicating to clients about the revoked SSL certificate.

In the new revocation checking method, Apple initially scans Certificate Transparency logs to find out certs that Apple platforms trust. In the next step, it finds out the status of revocation of these certificates from the CAs. The SSL certificate revocation status is collated and this information is shared at regular intervals with Apple devices.

When a client initiates an SSL/TLS connection, it checks the centralized list for SSL Certificate revocation. If the certificate is not revoked then the connection is established. However, if it is found to be revoked, this revocation status is confirmed by conducting a live Online Certificate Status Protocol (OCSP) check with the CA. If it is confirmed as revoked then the connection is refused.

Apple is initiating significant enhancements regarding SSL certificates in its new updates to operating systems. Improvements in network security standards will offer a better and safer experience for Apple product users.

Buy SSL Certificate

Posted in SSL,Technology

Be Sociable, Share!

Leave a Comment


* fields are mandatory