ECC is faster and more secure than RSA. Here's where you (still) can't use it.

Learning from Unella the Shame Nun.

July 12, 2021
We're Expedited Security. We help SAAS applications prevent and recover from attack, overcome regulatory or integration security requirements or just stop "weird" traffic before it becomes a problem.

Most sites on the internet right now use 2048 bit RSA. However that's where RSA tends to end: when sites move to stronger certificates they generally pick ECC (i.e. ECDSA) over 2048 bit RSA. Few CAs provide 4096 bit RSA keychains, and a 4096 bit RSA key signed by a 2048 bit RSA intermediary doesn't make a lot of sense.

That's because ECC is faster than older style RSA keys. On mobile devices the reduced CPU usage when making new HTTPS connections with ECC keys also means better battery life than their RSA equivalents. Modern CDNs like CloudFlare use ECC as default.

With CertSimple, we'll create a small, custom bash/powershell script that instantly makes an ECC keypair using the P-256 curve.

As of May 17th 2017, here's the curves supported by the major browsers:

secp256r1 secp384r1 secp521r1 x25519
Chrome
Edge
Firefox
Safari

You can find out what your browser supports at SSL Labs. If you see curves that start with tls_grease these aren't real curves, but actually a clever way to identify broken TLS servers.

Safe curves on the way

You'll notice x25519 is supported in 3 of the 4 major browsers. Curve 25519 is one of the 'safe curves' - easier to implement in software and therefore less prone to buggy implementations than other curves. You can't get a Curve 25519 cert signed by a CA at the moment, but there's a draft for curve 25519 use in TLS and once that's approved the Baseline Requirements created by the CA/Browser forum will likely add 25519 as an approved curve.

ECC is faster than the equivalent srength RSA certs, and that's also good for battery life. So, as we go into 2017, where can't you use an ECC HTTPS certificate?

CertSimple defaulted to ECC in July 2016. So after nearly a year we have a good idea about the current state of ECC in the wild.

Heroku

At the time of publishing, you'll want to use an RSA key for both 'Heroku SSL' and 'SSL Endpoint' services:

Heroku DevCenter mentions:

Heroku only supports RSA keys for certs. Elliptic curve (ECC) keys are not supported.

We reached out to Heroku and they confirmed they're working on fixing this.

Amazon CloudFront and Amazon Certificate Manager

The Amazon CloudFront Developer Guide mentions:

CloudFront supports only RSA public/private key pairs.

Likewise AWS Certificate Manager FAQ:

Q: Does ACM support elliptic curve (ECDSA) certificates?

Not at this time.

Amazon staff have also privately confirmed ECC support is being worked on.

Out of date F5 load balancers

This is actually fixed: F5's BIG-IP devices got ECC suppport in BIG-IP 11.4.0, released around July 2015.

However F5s are frequently used by enterprises that, through a fundamental misunderstanding of risk - that there is risk of change but no risk of stasis - don't upgrade their software frequently. If you're intending to terminate on an F5 appliance make sure it's up to date before using an ECC cert.

And finally

If you know other HTTTPS terminators that still don't yet work with ECC let us know and we'll update this document.