Cryptography schemes are complicated to understand and implement. A lot of things can go wrong. But when it comes to web encryption, a surprising number errors actually stem from a straightforward and seemingly basic mechanism: timekeeping.
Synced clocks in operating systems may make digital timekeeping look easy, but it takes a lot of work[1] behind the scenes, and doesn't always solve problems online. The internet's decentralized nature means that the clocks behind every web browser and web application can actually have major discrepancies, which in turn can undermine security protections. In a step toward addressing these inconsistencies, the internet infrastructure firm Cloudflare will now support a free timekeeping protocol known as Roughtime[2], which helps synchronize the internet's clocks and validate timestamps.
Web encryption—like the protocols that produce encrypted "https" connections—uses certificates to verify an identity, and give a timeframe for how long until that identity needs to be checked again and reverified. For example, WIRED.com has a valid web encryption certificate that you can check in your browser by clicking the little green padlock. It expires a few months from now, at which point WIRED will work with a certificate authority to renew it. But browsers and other web applications doing time checks with an inaccurate digital clock may accept expired certificates, or reject valid ones.
"A big reason encryption fails is because someone's clock is off—the skew is actually disturbing," says Cloudflare CEO Matthew Prince. "A clock might be off by a minute, an hour, a day, a month, a year, or more. So we want to be the clock tower in every town square that people can rely on."
And Cloudflare has the reach to actually make a large-scale impact. It provides content delivery, security, and other support services to more