Apple believes that SSL/HTTPS certificates valid for more than a year are not secure enough. As such the Safari browser will not be trusting certs valid for more than 13 months. Change comes on September 1. What does it mean?
You probably never heard of the CA/Browser Forum as it is one of those deeply technical groups that rarely gets to the front pages. This time it may be different as Apple has announced during its last meeting that their browser Safari will not trust HTTPS certificates valid more than 12 months. While it may sound like a technical detail, it will certainly make life of many small companies even harder.
CA/Browser Forum is a technical group that defines requirements on certificate authorities (CAs) that issue certs for your websites. The group is also responsible for security audits of CAs. As a result, it has a direct impact on the list of trusted certificates for your computer and web browser.
The policy change as announced by Apple during the meeting in Slovakia and reported by The Reg is as follows.
... from September 1, any new website cert valid for more than 398 days will not be trusted by the Safari browser and instead rejected. Older certs, issued prior to the deadline, are unaffected by this rule.
Let's Encrypt was heavily criticised when it decided to issue its free certificates with the validity of only 90 days as it significantly increases the risk of outages due to expired certificates. Let's Encrypt argued that as its operation is fully automated, users can automate renewals to avoid these issues. At the same time the argued that the short lifetime will mitigate security concerns rising from the full automation of the issuance process. Does it sounds a bit like Catch 22? There is a logic behind it thought and the success of Let's Encrypt justifies their decision.
Figure: Operation report of KeyChest (https://keychest.net).
However, IT managers well free to purchase a long-term certificate with the validity of 2 or even 3 years so they wouldn't have to think about renewals and keep their companies online and safe. This will now change as the new Apple policy means that you will not be able to purchase 2 year certs from September 1 without losing over 10% of internet users with Safari browsers.
The impact can increase though as others may join. Cutting certificate lifetimes has been mulled by others for some time with the aim to improve security. This justification, that attackers will only be able to exploit bugs in SSL for 12 months instead of 24 months, and its real-life impact is open to discussion.
One thing is for sure - the pain of web expiration due to expired security (i.e.,. SSL/HTTPS) will grow even further this year and the need for reliable monitoring and renewal automation will grow.