Resetting certificates

Web site certification supports the key exchange enabling secure encrypted communication between browser clients and server applications. This is why industry giant Google launched a campaign in 2014 that all web applications should use a browser-recognised certificate authority (CA) and offer encrypted access. In practice Google proposes that all website URLs should begin with the encrypted protocol https://, rather than the identifier for the unencrypted alternative protocol http://. While Longevitas applications have always offered only encrypted access, since our version 2.8 release you might have noticed a change in how we certify our web applications and services, and this blog is a brief explanation of what we've done and why.

Traditionally we used a standard CA by the name of Thawte. In addition to providing the certificate necessary for encryption, certification authorities exist to provide domain validation (DV) checking, confirming, at a base level, that the owner of the certificate owns the website domain it is attached to. The option of more detailed third-party identity confirmation - often called extended validation (EV) - was thought to be valuable for companies dealing with a broad consumer population, but are increasingly de-emphasised by major browser vendors. In any case, an important feature of DV certificates are that after setup the necessary checks can be automated, and so certificates can be renewed more quickly while EV checking will invariably incur delays and human involvement each time. Thawte (now owned by DigiCert) is a traditional CA, offering both DV and EV certificates on an annually renewable basis.

One notable impact of annual renewability is that keys and certificates must be maintained for at least a year, and a traditional CA will offer price incentives for longer term renewals. If some aspect of website certification or keying were to be disclosed for any reason, that more or less guarantees a lengthy time window will exist for any leaked information to be misused. This longer-than-necessary exposure is undesirable and so we took the business decision to move all of our 2.8 services to use the open and automated CA Let's Encrypt. With Let's Encrypt, it is more typical to see servers automatically re-keyed and re-certified every 60-90 days, drastically closing the window for misuse in the event of disclosure. If you use our services and you see the following logo on your login page, we have already made the move.

New certification seal

Bottom line: this is a technical change and no further user action is required. But online security is like that - a continual process of small technical adjustments. Maintaining defence in-depth means where an opportunity arises to improve something, that opportunity should be taken. So that's exactly what we did.

Written by: Gavin Ritchie
Publication Date:
Last Updated:

Previous posts

Seasonal mortality and age

In two previous blogs (here and here) I looked at excess winter mortality.  A first glance at the charts shows that the elderly dominate the death counts.  However, the elderly also happen to provide the bulk of deaths at any time of year, so how can we be sure that they are more vulnerable to seasonal variation?
Tags: Filter information matrix by tag: season, Filter information matrix by tag: winter

The Hermite model of mortality

In Richards (2012) I compared seventeen different parametric models for modelling the mortality of a portfolio of UK annuitants. The best-fitting model, i.e. the one with the lowest AIC, was the Makeham-Beard model:

\[\mu_x = \frac{e^\epsilon+e^{\alpha+\beta x}}{1+e^{\alpha+\rho+\beta x}}\qquad(1)\]

Tags: Filter information matrix by tag: Hermite splines, Filter information matrix by tag: extrapolation

Add new comment

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.