Experts say organizations will need to put in some effort to cope with the change, but web security should benefit

TLS certificates now have a shortened lifespan of 398 days

New TLS security certificates issued after September 1 must now have a lifespan of no more than 398 days to be considered valid by significant web browsers.

Trusted SSL/TLS server certificates use cryptographic protocols to encrypt and protect information flowing between browsers and servers.

Certificates are issued by a Certificate Authority (CA), which verifies the owner of domains and sets the standard for trusted connections and websites.

Billions of domains utilize certificates to protect data, and CAs such as ISRG’s Let’s Encrypt offer free SSL/TLS certificates to promote their use further.

When certificates are revoked or fail, however, this can cause severe business disruption – a future that encryption services firm Venafi envisions for organizations that do not prepare for the upcoming changes.

Lifespan reduction

According to analysis conducted by Venafi, certificates’ lifespans have gradually shortened over the past decade.

Before 2011, a certificate could be considered valid for up to 96 months – roughly eight years – and by 2012, this period shortened to 60 months, or five years – a 37% reduction.

In 2015, lifespans shortened to 39 months and by 2018, a validity period of two years was adopted. Now in 2020, standard certificates will last 13 months.

YOU MAY ALSO LIKE Certificate Transparency: A case study for system-wide change

Launched in 2005, the Certificate Authority Browser Forum (CA/Browser Forum) is a voluntary consortium of CAs, technology vendors, and operating systems that standardize how certificates are managed and audited.

A former CA/Browser Forum ballot floated the idea of reducing the lifespan of TLS certificates. While it ultimately failed, members including Apple, Cisco, Google, Microsoft, Mozilla, and Opera voted in favor.

Regardless, Apple decided to push ahead with lifespan reduction. A statement issued back in March warned developers of the imminent changes.

Apple said that TLS server certificates issued by CAs on or after September 1 “must not have a validity period greater than 398 days” if they are preinstalled with iOS, iPadOS, macOS, watchOS, or tvOS.

Certificates issued before this date are not affected.

RELATED TLS 1.0/1.1 end of life: Support deadline looms for website encryption laggards

Violations of this rule, Apple says, will result in connections to TLS servers failing, potentially leading to network, app, or website disruption and loading failures.

Other organizations have since followed suit. Mozilla updated its Root Store Policy, citing improved agility, limiting exposure to compromise, and reducing the risk of TLS certificates outliving domain ownership.

Google, too, has joined the fray. CA/Browser Forum vice chairperson Dean Coclin revealed the decision on Twitter, and the change was later committed to the Chromium Git repository.

Big benefits?

Concerns have arised that organizations without automatic renewal in place may face disruption. However, cybersecurity experts including Troy Hunt consider reducing certificate lifespans as a means to encourage the adoption of automatic renewal solutions.

“The big benefit will be a massively reduced period in which compromised certificates can be abused,” Hunt told The Daily Swig.

“Secondarily, more frequent renewal should drive more organizations to automate the renewal process which is going to require some upfront effort, but should ultimately lead to fewer cases of inadvertent expiration.”

Kevin Bocek, VP security strategy & threat intelligence at Venafi, said that the shortening of certificate validity periods is likely to continue.

“It’s likely that we could see certificate lifespans for all publicly trusted TLS certificates reduced to six months by early 2021 and perhaps become as short as three months by the end of next year,” Bocek says. “Actions by Apple, Google, or Mozilla could accomplish this.”

READ MORE When TLS hacks you: Security friend becomes a foe