SSL Certificates Will Now Be Capped At Two Years of Validity
The New Maximum SSL Certificate Validity Will Take Effect in 2018.
CAB Forum Ballot 193 has passed, this means a new, shorter, maximum SSL certificate validity period.
The CAB Forum is an industry body that sets many of the rules surrounding the issuance and formatting of SSL certificates – its membership is made up of Certificate Authorities, who issue certificates, and web browsers, where SSL certificates are most frequently used.
CAB Forum Ballot 193, which was proposed by Entrust, will place a new limit on maximum lifetime for all publicly trusted SSL certificates. The new limit will be 825 days – that’s two years with some padding built in to allow for renewal and replacement – and will come into effect on March 1st of 2018.
While voting on the ballot has not officially closed yet, as of this morning, the proposal already has the required number of votes and will be approved when voting closes at 23:00 UTC tonight.
Currently, the maximum SSL certificate validity period is 3 years (39 months to be exact), and CAs will continue to issue such certificates until the new ballot comes into effect.
This will affect all users of all Certificate Authorities and every type of certificate. Those who rely on very long-life certificates will be able to get new 3-year certificates until March 2018, which will secure their sites until June 2020. At that time they will need to be prepared for 2-year certificate replacements and should also keep an eye out for the maximum SSL certificate validity to shorten even more as the industry moves toward a yearly model.
Long-life certificates create problems for the industry because they place a lengthy lower-bound on changes. For example, any ballot or regulation that was to change today would not be fully in effect for 39 months when all existing certificates expire. While long-life certificates allow individual users to spend less time reinstalling certificates, it creates too many problems for the ecosystem.
Beyond CAB Forum Ballot 193
Last month Google proposed its own ballot, which would have limited certificates to only 13 months. However, that ballot was widely opposed by both CAs and other browsers and was not passed.
The industry disagreed with Google’s specific changes – which would have quickly implemented a drastic reduction in the maximum allowed lifetime – but agreed that a serious move towards shorter lifetime was needed. CAB Forum Ballot 193 was proposed quickly after
Google has recently made its interests in shorter certificate maximums clear – citing the many security problems they pose. When its ballot failed, Google’s representative Ryan Sleevi suggested that Google may use other means to reduce maximums. As the distributor of a browser, Google is free to set requirements for certificates to be trusted in Chrome.
While those rules would not apply to any other browser, in practice, Google’s requirements would become the new standard if they were stricter than what the CAB Forum set. This is because SSL certificates need to be functional in all major browsers to be considered useful, and CAs would have no choice but to comply.
Sleevi has not recently made any statements about creating such a requirement and given that other browsers opposed 13-month certificates, it may be unlikely that Google puts a policy into place that the industry disagrees with.
Regardless of Google making a unilateral move, the industry will continue to pursue shorter certificate lifetimes. While these changes will happen slowly, all users of certificates should start mentally (and logistically) preparing themselves for a future with yearly renewals and replacements.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownA Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates
in Industry Lowdown