HTTPS Security Certificates Will Soon Have To Be Limited To A One Year Long Life-Time To Be Valid
A proposal to limit HTTPS certificates to a maximum length of one year was down-voted in the CA/Browser Forum late last year. That vote does not matter because those who control the web browsers control the web universe. The major web browser vendors have decided that TLS certificates issued after September 1st will be treated as invalid if they have an expiration date beyond one year into the future. Web server administrators should take notice.
written by 林慧 (Wai Lin). published 2020-07-27 - last edited 2020-07-31
We made some hacker-looking stock image using the GNU Image Manipulation Program.
The CA/Browser Forum is supposed to be a industry forum where members vote on web security related proposals and act accordingly. There was a vote in the CA/Browser Forum on a proposal to make any and all TLS certificates used to provide HTTPS and other security on the web invalid if they are issued for periods that are longer than one year. The proposal did NOT pass due to massive resistance from all the commercial certificate authorities who, naturally, would like to continue charging an arm and a leg to sign long-lived TLS certificates for banks and other well-paying customers.
The web browser triopoly Apple, Mozilla and Google have jointly decided that the opinion of the members of the CA/Browser Forum do not matter in the same way votes on web standards in the World Wide Web Consortium do not matter to them. It is, after all, the major web browser vendors who ultimately decide what modern web browsers do and don't support. They can and do whatever they want regardless of what the affected stakeholders would prefer.
Apple was the first web browser vendor who made their browsers treat long-lived TLS certificates as invalid in March, 2020. Mozilla and Google have now followed suit. All the major web browsers will show their users a
ERR_CERT_VALIDITY_TOO_LONG if a TLS certificate used for a HTTPS connection is issued after September 1st and it is valid for more than 398 days.
Why Would They Do This?
There is no functioning revocation system for the TLS security key-chain. If a compromised security authority gives eavesdropper Eve a valid certificate for a website belonging to Alice then Eve gets to eavesdrop as long as that certificate remains valid. Browser manufacturers do have and ship their own revocation lists but they vary from vendor to vendor and they are only used when major incidents occur. Browser vendors would very much like to not deal with any revocation lists at all. A shorter certificate lifetime means that problematic certificates expire and become invalid on their own when keys are compromised or other issues present themselves.
Welcome To The TLS Certificate Monopoly
The maximum length of SSL and TLS certificates used to be very long. A 5 year long validity was not uncommon. This was previously reduced to 2 years. Now it's down to one year.
The introduction of the free HTTPS certificate provider Let's Encrypt transformed the web when it was launched in 2015. More than one billion websites, including this one, use free short-lived certificates issued by them. The only not-really downside to using Let's Encrypt certificates is the very short 3 month expiration date on certificates issued by that certificate authority. That is mostly a non-issue since you can regularly renew them with a systemd timer or a cron job.
Buying a commercial TLS certificate made some sense when you could buy one and use it for 5 years. That still made sense when you could buy one, set it up and forget about it for 2 years. Paying for a certificate from GeoTrust or DigiCert makes less sense now that you will have to frequently renew those. Using a free certificate from Let's Encrypt with a timer renewing it makes a lot more sense. That is especially true if you have a limited budget. That may soon leave Let's Encrypt as the last man standing making their parent organization Internet Security Research Group, in practice owned by Cisco, Facebook, Mozilla, OVH and the EFF, a de-facto TLS certificate monopoly.
You might as well take advantage of the coming monopoly if you run a small website on a server you control. Deploying HTTPS with a certificate from Let's Encrypt using the
certbot tool from EFF is very easy to do. There is no reason to use plain old insecure HTTP like it's 1999, even if you're only hosting a small personal blog with pictures of your cat(s).