Story by Steven Martis.
The lifespan of SSL/TLS certificates dropped again! This time, Apple’s Safari did the deed. But what’s with this SSL shrinkage, and what does it mean for security?
Now, this news seems like a small step in a long trend that’s been going on for years–but this change is different. This time, it has implications for the future of SSL.
I first heard about SSL certificate validity in 2011 while working at a large Phoenix-based domain registrar. Since I was interning with the SSL/PKI department, I had learned how Wildcard and Extended Validation certificates were different from standard SSL certificates.
At the time, I remembered hearing that certificates would only stay valid for 5 years because of a new body called the Certification Authority Browser Forum. This forum was made up of all the big-league browser makers, so you knew it held weight.
When they decided that the original 8 and 10-year certificates were too longterm, their opinion made all the difference. Of course, the thinking was sound. If the certificates don’t last as long, compromised ones are harder to exploit.
Over time, this trend continued. In 2015, the validity dropped to 3 years. In 2018, we had another drop to two years. Now, Apple has announced that it will drop the validity down to a mere 398 days on its Safari browser, beginning September 1st, 2020. That’s a big change! But what does this mean for people with websites using HTTPS?
What’s Next For SSL/TLS?
For current certificates, not much. Existing certificates will still be valid until their stated expiration–even if the term was longer than 398 days. It’s all the new ones that get hit. After those certificates expire, the sites will display a “website not secure” message until the site owners re-key.
This shorter validity may change services a lot. It’s very likely that Certificate Authorities, like GoDaddy, will start automating the re-keying process. That way, they can sell multiple years upfront. If so, we will see huge changes. Re-keying certificates is complicated. Automation would make SSL more attractive to average website owners–even if they don’t have a lot of technical knowledge and may want some development help.
SSL shrinkage shows no signs of stopping. Services like Let’s Encrypt, which issues free 90-day certificates, have made SSL more accessible. We’re likely to see certificate validity drop to 365 days, or even below that. And since companies like WP Engine offer those certificates on a rolling basis, people will keep using them.
Is this the end of SSL as we know it? It’s hard to say. But we do know one thing: we’re only going to see more free, short-validity SSL certificates–and that’s a good thing for security.