Expiration Helps SSL Stay Secure, and No, It’s Not a CA Conspiracy.
One of the most common things we hear from our more skeptical customers is, “why do SSL certificates expire? Isn’t it just a Certificate Authority scam so I have to buy a new certificate and they can make more money?”
Granted, that’s not a totally unwarranted comment. After all, installing an SSL certificate year in and year out can be frustrating. And when you look at all those bills, you may be inclined to think that these companies have created one heck of a racket.
But, the reality is that certificate expiration is incredibly important to the security guarantees of SSL—in fact, without expiration, SSL certificates would be useless.
First, let’s understand how SSL certificates expire: Every SSL certificate has a validity period – a date range during which the certificate is valid and can be used to establish secure connections. After that validity period ends, SSL certificates expire. Browsers and other software stop accepting expired certificates and display a warning when you try to use one. It’s similar to how a government ID or credit card expires.
Certificate validity exists because one of the core features of SSL is server authentication. This allows the client (usually your web browser) to know the identity of the server it is connecting to.
Without server authentication, you would not know if you are connecting to the authentic website, or someone else spoofing that site. Believe it or not, that is incredibly easy to do without the protections of SSL.
Checking if a certificate has expired is part of server authentication, and it’s not just to see if some arbitrary date has come and gone.
Getting an SSL certificate from a publicly-trusted Certificate Authority (CA) like Symantec or Comodo requires that you prove ownership of the requested domain by following industry-standard requirements.
These requirements ensure that you cannot get an SSL certificate for a site you do not own (amongst other things). The CA digitally signs your certificate to tell other devices the information contained in it is accurate, and the validity period tells them how long that information can be relied upon.
Just like a government ID or passport, it’s important that the information is occasionally rechecked. Imagine if you never had to get a passport or driver’s license renewed! Many people would still be carrying around IDs with a picture of them from when they were sixteen and much shorter. Using those IDs for accurate identification would be much harder and far less reliable.
Of course, in the world of technology, things move much faster, so SSL certificate expiration is often done every year instead of every decade. Digital identity is also different from real-world identity. Domains change hands all the time, so you wouldn’t want a previous owner holding onto a nearly-forgotten but still valid certificate. That is a situation ripe for mis-use.
SSL certificates don’t just validate a domain name. OV and EV SSL certificates include the name and location of the company that legally owns them. That information can be used to more precisely identify a website, and it’s important that it stays up-to-date.
On the less malicious side, the longer any file is around the more likely it is to get duplicated all over the place and stored insecurely. When we are talking about encryption keys, that is undesirable.
But It Just Expired Yesterday!
Sure, a certificate that has expired a day ago may seem safe to use. You may question what the harm could be. Unfortunately, with SSL certificates, it isn’t so easy to find out. It’s not like you can just give it the ol’ smell test like you would with that suspicious milk in the fridge.
A certificate that has just expired may still be safe to use. But you have no way of knowing if that private key is still being properly protected, if the domain has changed hands since the certificate was issued, etc. Once a certificate expires, CAs are no longer required to publish the revocation status of that certificate, so you can no longer know if that certificate had been revoked or compromised.
It’s simply too difficult to establish a grace period where it’s still safe to use an expired certificate, and doing so would only lead to the measuring stick being moved more and more over time. First, it would be okay if the cert was just one day past expiration, then slowly we would allow two days, then a week, and on and on. There is a reason certificates have a firm validity period, and we should all stick to it.
Encouraging users to ignore, or “click-through” certificate warnings is bad security hygiene, and risks devaluing the meaning of warnings. This, in turn, puts users at risk of ignoring a warning that’s much more dangerous.
So, while it may be a pain to stay on top of all your certificates, do your users (and the internet) a favor and set up a reminder (most SSL providers let you set up email notifications when renewal is approaching) or put it on your calendar.
New Certificates are Agile Certificates
In the world of technology, legacy is a four-letter word. I’m sure we all know some company or network running Windows XP or some other horribly outdated piece of technology. That’s because it is very difficult to force people to upgrade, and supporting those old systems is difficult and often creates security vulnerabilities.
A nice side-effect of certificate expiration is that it helps keep SSL practices modern.
There was a point where it was possible to get certificates for five years or more. Today, the limit is three years, and the industry may be looking to reduce it even further.
Shorter certificate validity makes it much easier to update security standards. Last year the entire internet migrated to the new SHA-2 signature algorithm. It was a bit bumpy because of those really old 5+ year certificates out there.
From a policy standpoint, long validity periods are a nightmare. From the day a new policy was enacted, you had to wait up to five years for everyone’s current certificate to expire and start following the new standard, and in the meantime, you needed contingency plans on how to handle those that did not. In some cases that meant forcing users to upgrade mid-cycle.
The CA/B Forum is an industry organization which sets best practices and standards for SSL certificate issuance. They are the ones ensuring that new certificates don’t continue to use old security measures. One of the goals the CA/B Forum has been working towards is shorter certificate validity. When SSL certificates expire more frequently, it makes it easier to improve security practices.
Now, that’s not to say that SSL expiration solves every problem. A huge number of servers have SSL configurations that would make most system admin’s blush. But, at least expiration keeps one part of our industry up-to-date.
So, next time you are renewing your SSL certificate, remember that it’s ensuring that all the information in your certificate is accurate, proving to clients that you are still the rightful owner of the domain, and keeping your certificate’s security measures up to date.