HTTPS on the big screen
If there’s one thing people always under estimate on Smart TV, it’s https. On websites it can be rather easy. You can really just use any certificate from one of the popular certificate authorities out there, and you’re usually good to go. On the big screen it’s sadly not that easy. Why is that you ask? Well, let’s find out.
Which certificate to use?
The first step towards getting https, is the certificate behind it. I’m sure you’ve heard of ‘Lets Encrypt’ before, a certificate authority that provides certificates for free. LetsEncrypt has taken the https-world by storm in the recent years. Given that browsers started making https a requirement for websites, the free certificates from LetsEncrypt were a great way to fulfil that. And they worked almost on any device, up until a certain point. In the recent past, the 30th of September to be exact, LetsEncrypt had to drop support for a bunch of older devices. In order to understand why that happened, we first need to dive a little bit deeper into certificates and how they actually work under the hood.
Chain of Trust
Certificates don’t just work out of nowhere. You might have experienced this before, when you attempted to setup https on your local hosting environment. You had to create a so-called ‘self signed’ certificate. In this process you, well, sign the certificate yourself. But before you can use it, you’re not there yet. First you need to tell your browser, or your computer in general, that it can trust the certificate. Otherwise anyone could create a certificate and it would be accepted by a browser, regardless of its validity.
But how would you achieve this with real-life certificates? You can’t just tell every browser or computer each time you generate a new certificate. That would be crazy, and not maintainable at all. This is where the so-called ‘Chain of Trust’ principle comes into play. Let’s look at the image below.
As you can see on the left, that’s you and me. We’re out here browsing a website, and we’re smart enough to use https. Security for the win. Okay, so we attempt to visit the website. The moment we attempt to make a connection, the browser tells us with which certificate it wants to identify itself with. That’s the ‘End-Entity’, from the image above. However, we don’t have the certificate of the ‘End Entity’ installed on our device. Because that’s really just a certificate of the website itself. We’d need to have certificates for each website, as explained earlier. So how do we verify if we can trust this certificate? This is where the Intermediate and Root certificates enter the picture.
In order for devices to trust certificates, they need to have a certificate installed. And that’s exactly what happens with Root certificates, and sometimes with Intermediate certificates, too. They are long-lasting certificates that devices install, in order to be able to verify an End-Entity certificate. Root certificates sign Intermediate certificates, and Intermediate certificates sign the End-Entity.
That’s exactly what the Chain of Trust principle is. By getting other certificates ‘in the chain’ to sign the End-Entity, the device is able to verify the connection. Even if it doesn’t recognise the End-Entity or Intermediate, it often does recognise the Root.
Lets Encrypt on Smart TV
So now that you have a rough understanding of the ‘Chain of Trust’, let’s get back to LetsEncrypt. In the beginning, LetsEncrypt had to find a way for their generated certificates to be trusted by devices. They weren’t that widely known yet, so if they would generate certificates from their own, custom Root certificate, their certificates would not be trusted. Devices simply wouldn’t recognise any certificates in the Chain of Trust. So they had to come up with a solution. And they did.
This is where the power of Root certificates is shown very well. Because what LetsEncrypt did was very simple. It used a Root certificate that was very well supported, called ‘DST Root CA X3’. This Root certificate was widely supported on many devices, meaning that the Chain of Trust would always help out with trusting certificates from LetsEncrypt.
On the 30th of September 2021, this however changed. Because just like End-Entity certificates, Root certificates can also expire. And that’s exactly what happened with ‘DST Root CA X3’. It expired, meaning the Chain of Trust no longer helped with trusting the LetsEncrypt certificates. In the meantime, LetsEncrypt tried its best to get their own Root, ‘ISRG Root X1’, to be supported on as many devices as possible. And that’s the root cause (hah) of the problem, at least for Smart TVs. They need to install this Root certificate in order to be able to trust it.
Smart TVs rarely update certificate lists
Here’s the real problem with certificates, at least for Smart TVs. Browsers like Google Chrome, Windows and Mac laptops, and many other devices, get updates. They freshen up their supported set of certificates, and do it frequently (for example when a certificate ends up being hijacked.
Sadly, Smart TVs rarely get updates. This means they often don’t end up supporting newer Root certificates, even ones that we’ve come to know and user for many years now. Like the one from LetsEncrypt.
How do you combat this? Sadly the only option is just relying on your experience and documentation. Knowing which certificates can still work on which devices can be a very horrible experience. You need to have access to the devices you support, find documentation if it exists, and then attempt to find a certificate authority that still allows you to create new certificates with the required root. It’s a difficult job to take on, but not impossible. So we can definitely still find certificates to use on Smart TVs. But, as time goes by, and roots start to expire, it’s becoming increasingly more difficult.
TLS versions
Another important fact, but much easier to combat than certificates, is TLS. TLS stands for Transport Layer Security, and is the successor to SSL, the Secure Sockets Layer. It’s the protocol that’s doing the actual secure communication between devices. And you have multiple versions of them. The most recent being TLS v1.3, and we’ve seen this slowly become the standard protocol version to use. But that really only works if both the sending and receiving devices support this version.
This really is just another example of how Smart TVs rarely get updates. While TLS v1.3 is more secure, it sadly not supported on all devices. Meaning you have no other option than to use older versions of TLS. In many cases, even TLS v1.2 is not going to work, simply due to the fact that televisions have never gotten an update to support this version. Here you’re forced to make the trade-off between security and being able to support more devices. It’s a sad realisation to make, that’s only going to get worse over time. TVs stay with us on average 8 years or even more, so not having updates makes them inherently flawed in terms of security.
Cipher Suites
You might have heard of certificates like ‘Lets Encrypt’ before. I’m almost certain you’ve heard faint talks about TLS or SSL before as well, when speaking about HTTPS. But this last point in this blog is equally important, and also a lot harder to get right, especially if you care about security: Cipher Suites.
Now, I’m not going to go into the full details and things behind Cipher Suites. For that I’ll gladly refer to this page on Wikipedia, and the following excerpt:
A cipher suite is a set of algorithms that help secure a network connection. Suites typically use Transport Layer Security (TLS) or its now-deprecated predecessor Secure Socket Layer (SSL). The set of algorithms that cipher suites usually contain include: a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.[1]
The key exchange algorithm is used to exchange a key between two devices. This key is used to encrypt and decrypt the messages being sent between two machines. The bulk encryption algorithm is used to encrypt the data being sent. The MAC algorithm provides data integrity checks to ensure that the data sent does not change in transit. In addition, cipher suites can include signatures and an authentication algorithm to help authenticate the server and or client.
Overall, there are hundreds of different cipher suites that contain different combinations of these algorithms. Some cipher suites offer better security than others.
That last sentence is the most important piece of information, at least for us. There are indeed hundreds of different cipher suites, that are all different. Some more secure than others. So if you really care about security, you want to only support the most secure suites, and skip support for less-secure ones.
Sadly, like with TLS versions and certificates, cipher suites also need to be available on the device in question. And that’s exactly the problem we’re also running in here, too. Sadly not all (newer) cipher suites are available on devices. In some cases even only a small subset of older suites is available on a device.
Like certificates, getting the cipher suites right can be an interesting problem that takes some figuring out. You need to find a subset of suites that both matches your requirement for security, as well as them being available on the devices. And, as you can tell, that can be a difficult job to achieve.
Conclusion
Knowing what to look out for when attempting to support HTTPS on the big screen, is the very first step in achieving it. This blog should have given you an understanding of the three points to look out for: certificates, TLS versions, and cipher suites. In all three cases we’re dealing with the fact that televisions rarely get updates, making life ever so slightly more difficult. In all three cases your efforts will have to go to finding a common ground that all of the devices support, how ever difficult that may be.
HTTPS is definitely possible on Smart TVs. But it takes time, effort, costs, and trial and error. And I hope that, with this blog, I have given you some insight into things to look out for.
If you’re ever still stuck with HTTPS, for any device, and would like more information, please don’t hesitate to reach out!
