Safari to prevent website owners from using long-term TLS certificates
What you need to know
- Safari will soon warn users of websites whose TLS/SSL certificate is more than 398 days old.
- The change kicks in for certificates issued from September 1st.
- Some websites currently use multi-year certificates.
Apple’s making another stand on security.
Soon, Safari will warn users when a website they’re visiting is using a TLS/SSL certificate that is valid for more than 398 days. The certificate doesn’t need to have expired, either. Any certificate that was valid for more than 398 days when it was issued will automatically be flagged by the browser.
This comes following the 49th CA/Browser Forum in Slovakia, with The Register reporting that the aim is simple – ensure that web developers are using the latest certificates and technology available. Before this move, developers could asign certificates for multiple years, potentially using technology that is long out of date.
The aim of the move is to improve website security by making sure devs use certs with the latest cryptographic standards, and to reduce the number of old, neglected certificates that could potentially be stolen and re-used for phishing and drive-by malware attacks. If boffins or miscreants are able to break the cryptography in a SSL/TLS standard, short-lived certificates will ensure people migrate to more secure certs within roughly a year.
But it isn’t all good news, although those likely to face issues are those in charge of websites themselves. They probably aren’t all that keen on the idea of being forced to update their certificates sooner than was previously required. Tim Callan, of SSL management firm Sectigo, told The Register that more certificate replacements means an increased chance of something going wrong.
Companies need to look to automation to assist with certificate deployment, renewal, and lifecycle management to reduce human overhead and the risk of error as the frequency of certificate replacement increases.
Currently, both GitHub and Microsoft use two-year certificates, with microsoft.com set to be renewed in October. If Microsoft continues its two-year policy, expect to see Safari tell you that the website isn’t secure.