Security News > 2020 > February > Apple drops a bomb on long-life HTTPS certificates: Safari to snub new security certs valid for more than 13 months

Safari will, later this year, no longer accept new HTTPS certificates that expire more than 13 months from their creation date.

The aim of the move is to improve website security by making sure devs use certs with the latest cryptographic standards, and to reduce the number of old, neglected certificates that could potentially be stolen and re-used for phishing and drive-by malware attacks.

It has been noted that by increasing the frequency of certificate replacements, Apple and others are also making life a little more complicated for site owners and businesses that have to manage the certificates and compliance.

"Their spokesperson said it was to 'protect users.' We know from prior CA/B Forum discussions that longer certificate lifetimes proved to be challenging in replacing certificates, in the case of a major security incident. Apple clearly wants to avoid an ecosystem that cannot quickly respond to major certificate-related threats."

"Short-lived certificates improve security because they reduce the window of exposure if a TLS certificate is compromised. They also help remediate normal operational churn within organizations by ensuring yearly updates to identity such as company names, addresses and active domains. As with any improvement, shortening of lifetimes should be balanced against the hardship required of certificate users to implement these changes."

News URL

https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/02/20/apple_shorter_cert_lifetime/