Chrome and Mozilla followed Apple in restricting TLS certificate validity period

Share on facebook
Share on twitter
Share on linkedin
Share on email

Over the last decade, the life expectancy of SSL/TLS certificated has lowered from 10 to only 2 years. Ballot 185 in 2017 and SC22 in 2019 were two attempts to reduce certificate lifetimes to 1 year, but they both failed due to lack of support form certificate issuers. In the latter ballot, all browser companies (Apple, Cisco, Google, Microsoft, Mozilla, Opera, 360) vote in favour of this change. Even though the ballot failed but It was somehow predictable that these companies would take a step to decrease the validity time soon. Finally, in the 19th Feb 2020 face-to-face meeting of CA/Browser Forum (CA/B Forum), Apple announced that Apple’s Safari browser will no longer trust SSL/TLS certificates with a validity of more than 398 days (one-year certificate plus the renewal grace period.)

According to Apple, TLS server certificates must not have a validity period greater than 398 days if they are issued on or after September 1, 2020, 00:00 GMT/UTC. Thus, connections to TLS servers violating these new requirements will fail that can result in network and app failures and prevent websites from loading.

But, why do we need certificates with smaller validity period?

It goes without saying that decreasing validity period is an ongoing effort to improve web security for users but to be more specific the answer can get shortlisted to three key reasons:

  1. Reducing the time period in which compromised or bogus certificates can be exploited.
  2. Quicker expiration of certificates that are issued based on retired encryption (e.g. certificates based on SHA-1).
  3. Allowing the CAs to include more recent validation data in the certificate, and it provides certificate subscribers with increased security by having them change their key pairs more frequently.

Just a few months later, Chrome and Firefox joined Apple on this matter and only accept trusted TLS server certificates with a lifetime of 398 days or less. If certificates violate this policy in Google Chrome, then they will be rejected with the ERR_CERT_VALIDITY_TOO_LONG error.

This question may arise that how many websites use TLS certificate with more than 398 days validity period. Fortunately, two well-respected security researchers (Scott Heleme and Paul Calvano) have done the calculation on two massive datasets and here is the result, roughly 25% of all the certificates have the validity of more than 398 days.

Scott looked for the result in the top 1 million websites on the web and here is the result:

No alt text provided for this image

Paul did his research on a 5 times larger dataset of HttpArchieve.org and the result backed up Scott’s findings.

No alt text provided for this image

In summary, Apple’s initiative and followups show us the power of giant technology companies in advancing security and move the industry altogether.

Ref:

https://support.apple.com/en-us/HT211025

https://chromium.googlesource.com/chromium/src/+/ae4d6809912f8171b23f6aa43c6a4e8e627de784

https://lists.cabforum.org/pipermail/servercert-wg/2020-June/002000.html

https://scotthelme.co.uk/certificate-lifetime-capped-to-1-year-from-sep-2020/

https://discuss.httparchive.org/t/certificate-validity-dates/1874

https://cabforum.org/2019/09/10/ballot-sc22-reduce-certificate-lifetimes-v2/

 

Auto Login in Ubuntu Mate

Auto-login could pose security risks to your environment. At a minimum, the auto-login enabled computer would be prone to unauthorised access of whoever passes it

Read More »

Learn anything

An article emphasising the importance of the first 20 hours in learning new skills and introducing tools and techniques to overcome distractions and increase productivity.

Read More »