{"id":28215,"date":"2020-02-24T16:10:36","date_gmt":"2020-02-24T21:10:36","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=28215"},"modified":"2021-09-24T16:20:57","modified_gmt":"2021-09-24T20:20:57","slug":"safari-to-reject-https-certificates-longer-than-a-year","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2020\/02\/24\/safari-to-reject-https-certificates-longer-than-a-year\/","title":{"rendered":"Safari to Reject HTTPS Certificates Longer Than a Year"},"content":{"rendered":"<p><a href=\"https:\/\/thenextweb.com\/security\/2020\/02\/24\/safari-will-soon-reject-any-https-certificate-valid-for-more-than-13-months\/\">Ivan Mehta<\/a>:<\/p>\n<blockquote cite=\"https:\/\/thenextweb.com\/security\/2020\/02\/24\/safari-will-soon-reject-any-https-certificate-valid-for-more-than-13-months\/\"><p>Last week, at the 49th CA\/Browser Forum, a voluntary consortium of certification authorities, Apple announced that it&rsquo;ll stop allowing HTTPS certificates on Safari with more than 13 months of validity, later this year.<\/p><p>[&#8230;]<\/p><p>As <a href=\"https:\/\/www.theregister.co.uk\/2020\/02\/20\/apple_shorter_cert_lifetime\/\">the Register<\/a> noted, sites like GitHub and Microsoft have certificates with two-year validity. Under Apple&rsquo;s new rule, these sites will be rejected if these companies will get another two-year certificate after August.<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/sixcolors.com\/post\/2020\/02\/safari-will-reject-long-lived-https-certificates-starting-september-1\/\">Jason Snell<\/a>:<\/p>\n<blockquote cite=\"https:\/\/sixcolors.com\/post\/2020\/02\/safari-will-reject-long-lived-https-certificates-starting-september-1\/\"><p>The rationale? Shorter certificate lifetimes are safer, <a href=\"https:\/\/www.michalspacek.com\/maximum-https-certificate-lifetime-to-be-1-year-soon\">for a variety of reasons<\/a>. For one thing, it prevents a valid (and perhaps abandoned) certificate from being stolen or misappropriated by a bad actor, then used to trick consumers. While there is a process for revoking known bad certificates, it&rsquo;s cumbersome and many browsers don&rsquo;t even check the revocation lists.<\/p><p>For another, quick turnaround helps ensure that the certificates are always secured using the latest cryptographic standards.<\/p><p>[&#8230;]<\/p><p>The major downside for certificates that expire more often is that it means more work for organizations that have a large number of certificates that they will now need to renew more often.<\/p><p>[&#8230;]<\/p><p>At least one previous proposal to reduce the life of accepted certificates has been put to the CA\/Browser Forum, but while it was widely supported by browser makers, it didn&rsquo;t garner enough support from Certificate Authorities to make any head way. So Apple, in its own tried and true fashion, has apparently decided to make a unilateral change for what it believes is the best for users.<\/p><\/blockquote>\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2019\/10\/18\/beware-apple-security-certificates-after-october-24\/\">Beware Apple Security Certificates After October 24<\/a><\/li>\n<\/ul>\n\n<p id=\"safari-to-reject-https-certificates-longer-than-a-year-update-2020-03-06\">Update (2020-03-06): <a href=\"https:\/\/support.apple.com\/en-us\/HT211025\">Apple<\/a>:<\/p>\n<blockquote cite=\"https:\/\/support.apple.com\/en-us\/HT211025\">\n<p>TLS server certificates issued on or after September 1, 2020 00:00 GMT\/UTC must not have a validity period greater than 398 days.<\/p>\n<p>This change will affect only TLS server certificates issued from the Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS. <\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/twitter.com\/rosyna\/status\/1234951516382887936\">Rosyna Keller<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/rosyna\/status\/1234951516382887936\">\n<p>The complaints I&rsquo;ve heard regarding Apple&rsquo;s move to 13 month or less TLS cert validity are perfect examples of why the current validity window is too damn long.<\/p>\n<p>For example, &ldquo;Before, I could completely ignore my site&rsquo;s security for 5 years and then forget to renew!&rdquo;<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/www.zdnet.com\/article\/google-wants-to-reduce-lifespan-for-https-certificates-to-one-year\/\"> Catalin Cimpanu<\/a> (via <a href=\"https:\/\/twitter.com\/rosyna\/status\/1235006020872617984\">Rosyna Keller<\/a>):<\/p>\n<blockquote cite=\"https:\/\/www.zdnet.com\/article\/google-wants-to-reduce-lifespan-for-https-certificates-to-one-year\/\">\n<p>Google wants to reduce the lifespan of SSL certificates (used to secure HTTPS encrypted traffic) from the current two years to just over a year.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/www.troyhunt.com\/extended-validation-certificates-are-dead\/\">Troy Hunt<\/a>:<\/p>\n<blockquote cite=\"https:\/\/www.troyhunt.com\/extended-validation-certificates-are-dead\/\">\n<p>Which brings me to the second point: certificate renewal should be automated and that&rsquo;s something that you simply can&rsquo;t do once identity verification is required. DV is easy and indeed automation is a cornerstone of Let&rsquo;s Encrypt which is a <em>really<\/em> important attribute of it. I recently spent some time with the development team in a major European bank and they were seriously considering ditching EV for precisely this reason. Actually, it was more than that reason alone, it was also the risk presented if they needed to quickly get themselves a new cert (i.e. due to key compromise) as the hurdles you have jump over are so much higher for EV than they are DV. Plus, long-lived certs actually create other risks due to the fact that <a href=\"https:\/\/scotthelme.co.uk\/revocation-is-broken\/\">revocation is broken<\/a> so iterating quickly (for example, Let&rsquo;s Encrypt certs last for 3 months) is a virtue. Certs lasting for 2 years <em>is not<\/em> a virtue, unless you&rsquo;re coming from the perspective of being able to cash in on them...<\/p>\n<\/blockquote>\n\n<p>See also: <a href=\"https:\/\/atp.fm\/episodes\/367\">Accidental Tech Podcast<\/a> and <a href=\"https:\/\/derflounder.wordpress.com\/2020\/03\/06\/apple-making-changes-to-maximum-lifetime-limits-for-ssl-certificates-as-of-september-2020\/\">Rich Trouton<\/a>.<\/p>\n\n<p id=\"safari-to-reject-https-certificates-longer-than-a-year-update-2020-06-11\">Update (2020-06-11): <a href=\"https:\/\/twitter.com\/chosensecurity\/status\/1270819404452937729\">Dean Coclin<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/chosensecurity\/status\/1270819404452937729\">\n<p>Chrome joins Apple in limiting public TLS certificates to 398 days starting Sept 1st.<\/p>\n<\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Ivan Mehta: Last week, at the 49th CA\/Browser Forum, a voluntary consortium of certification authorities, Apple announced that it&rsquo;ll stop allowing HTTPS certificates on Safari with more than 13 months of validity, later this year.[&#8230;]As the Register noted, sites like GitHub and Microsoft have certificates with two-year validity. Under Apple&rsquo;s new rule, these sites will [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2020-02-24T21:10:39Z","apple_news_api_id":"5ff299f2-830d-44da-9d30-b9bd8a0dd5eb","apple_news_api_modified_at":"2021-09-24T20:21:00Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAAAg==","apple_news_api_share_url":"https:\/\/apple.news\/AX_KZ8oMNRNqdMLm9ig3V6w","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[31,1667,2120,30,1666,103,48,581,96],"class_list":["post-28215","post","type-post","status-publish","format-standard","hentry","category-technology","tag-ios","tag-ios-13","tag-lets-encrypt","tag-mac","tag-macos-10-15","tag-safari","tag-security","tag-ssltls","tag-web"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/28215","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=28215"}],"version-history":[{"count":3,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/28215\/revisions"}],"predecessor-version":[{"id":29211,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/28215\/revisions\/29211"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=28215"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=28215"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=28215"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}