By Dan Moren
February 24, 2020 7:32 AM PT
Safari will reject long-lived HTTPS certificates starting September 1
Your life is up! Well, the life of the security certificate on your website, anyway. News out of last week’s meeting of the CA/Browser Forum is that Apple has announced Safari will no longer accept HTTPS certificates older than about 13 months, as of September 1.
For a little background: that padlock you see on your browser, telling you it’s safe to shop or transmit personal information, is regulated by cryptographic certificates, issued by organizations known as Certificate Authorities. Those certificates are generally good for a certain amount of time, after which they expire and have to be renewed.
Over time, the accepted lifetime of those certificates has gone down: previously, a certificate remained good for as long as five years, but more recently that number has been reduced to two and a half years. Many sites voluntarily use certificates that have even shorter lifetimes.
The rationale? Shorter certificate lifetimes are safer, for a variety of reasons. For one thing, it prevents a valid (and perhaps abandoned) certificate from being stolen or misappropriated by a bad actor, then used to trick consumers. While there is a process for revoking known bad certificates, it’s cumbersome and many browsers don’t even check the revocation lists.
For another, quick turnaround helps ensure that the certificates are always secured using the latest cryptographic standards. As above, if a particular manner of encryption is compromised, those old certificates are often still floating around, ripe for exploitation.
The major downside for certificates that expire more often is that it means more work for organizations that have a large number of certificates that they will now need to renew more often. But there are tools that help manage these things; the increasingly popular free Let’s Encrypt service uses certificates that expire after just 90 days, though it also offers an automated renewal system.1
At least one previous proposal to reduce the life of accepted certificates has been put to the CA/Browser Forum, but while it was widely supported by browser makers, it didn’t garner enough support from Certificate Authorities to make any head way. So Apple, in its own tried and true fashion, has apparently decided to make a unilateral change for what it believes is the best for users. So any certificates issued after September 1 of this year will be rejected if they have a lifetime exceeding 398 days. (Longer certificates issued before September 1 of this year will continue to be honored.)
Given Safari’s large market penetration, sites will have to comply or risk being flagged by Apple products. Given that, it’s highly likely that other browser makers will follow suit on this decision, and that these shorter certificate lives will become the de facto standard. Will the average user notice? Probably not, but it does mean web browsing will be more secure than it used to be.
- I use a Let’s Encrypt cert on my personal site, and it’s so amazingly simple that there’s just no reason for every site not to have HTTPS these days. ↩
[Dan Moren is the East Coast Bureau Chief of Six Colors. You can find him on Twitter at @dmoren or reach him by email at firstname.lastname@example.org. His latest novel, The Aleph Extraction, is out now and available in fine book stores everywhere, so be sure to pick up a copy.]
If you appreciate articles like this one, support us by becoming a Six Colors subscriber. Subscribers get access to an exclusive podcast, members-only stories, and a special community.