Safari, by the end of the year, will no longer accept new HTTPS certificates that expire more than 13 months from the date of creation.
This means that websites that use long-term SSL / TLS certificates issued after the breakpoint will generate privacy errors in Apple’s browser.
The policy was unveiled by iGiant during a meeting of the Certification Browser Authority Forum (CA / Browser) on Wednesday. In particular, according to those present at the confab, from 1 September, any new website certificate valid for more than 398 days will not be trusted by the Safari browser and will instead be rejected. Old certificates issued before expiration are not affected by this rule.
By implementing the policy in Safari, Apple, by extension, will apply it on all iOS and macOS devices. This will put pressure on administrators and website developers to make sure their certificates meet Apple’s requirements – or risk breaking pages on over a billion devices and computers.
Certificates issued after that date or with a deadline of more than 398 days will be distrusted in Apple products
Tim Callan, senior fellow at PKI and SSL management company Sectigo, who attended this week’s meeting in Slovakia, said The register: “This week Apple announced at the 49th CA / Forum Forum face to face that it will limit the term of TLS certificates accepted to 398 days from September 1, 2020. Certificates issued from that date and expiring beyond 398 days will be wary in Apple products.
“Certificates issued before September 1 will have the same acceptable duration as the current certificates, which is 825 days. No action is required for these certificates.”
The shortened duration of the certificate has been compromised by Apple and other CA / Browser members for months. Politics has its advantages and disadvantages.
The goal of the move is to improve website security by making sure developers use certificates with the latest cryptographic standards and to reduce the number of old neglected certificates that could potentially be stolen and reused for phishing attacks and drive-by malware. If boffin or disbelievers are able to break encryption according to an SSL / TLS standard, short-term certificates will ensure that people migrate to more secure certificates within about a year.
Shortening the duration of certificates has some drawbacks. It has been noted that by increasing the frequency of certificate replacements, Apple and others are making life a little more complicated for site owners and companies who need to manage certificates and compliance.
“Companies need to turn to automation to help implement, renew and manage the lifecycle of certificates to reduce human overload and the risk of errors with increasing certificate replacement frequency,” he said. Callan.
We note that Let’s Encrypt issues free HTTPS certificates that expire after 90 days and provides tools to automate renewals, so they will be fine – and are now being used all over the web. El RegThe certificate is a one-year affair, so we’ll be fine.
These are really the final times for TLS 1.0, 1.1: Firefox hopes to “eradicate” the weak HTTPS standard by blocking it
GitHub.com uses a two-year certificate, which would run counter to Apple’s rules even if it was issued before the deadline expired. However, it should be renewed by June, so there are many opportunities to resolve it. Apple’s website has a one-year HTTPS certificate that must be renewed in October.
Microsoft is interesting: its dot-com is a two-year affair, which expires in October. If Redmond renews it for another two years, he will stumble on Safari policy.
It seems that no public announcement has been made by Cupertino Goliath, it seems, although Digicert already has a page on politics, dated February 19:
“Why did Apple unilaterally decide to impose a shorter certificate term?” reflected the cert biz.
“Their spokesman said it had to” protect users. “We know from previous discussions in the CA / B Forum that longer certificate life has proven difficult in replacing certificates in the event of a major security incident, and Apple clearly wants to avoid an ecosystem that cannot respond quickly to major certificate threats.
“Short-term certificates improve security because they reduce the exposure window in the event of a TLS certificate being compromised. They also help remedy normal operational abandonment within organizations by ensuring annual identity updates such as company names, addresses and active domains. As with any improvement, the reduction in lifespan should be balanced by the difficulties required of certificate users to implement these changes. “
Apple declined to comment. ®
Detect cyber attacks as a small and medium-sized business