Mozilla has officially announced that starting September 1, 2020, they will no longer consider any newly issued certificates with a lifespan greater than 398 days, or a little over one year, as valid. Many reasons for reducing the lifetime of certificates have been provided and summarized in the CA/Browser Forum’s Ballot SC22.
By Nilesh Gavali, CISSP, Security+
Browser developers and certificate security professionals have been pushing to reduce the lifespan of TLS certificates from 2 years (825 days) to 1 year (392 days) for some time, but have been unable to get certificate issuers to go along with the proposal.
Since many organizations lack the automation capabilities necessary to replace certificates with short lifespans at machine scale and speed, they are likely to see sharp increases in outages caused by unexpected certificate expirations.
The interval between certificate lifecycle changes is shrinking, while at the same time, certificates lifecycles themselves are being reduced. In addition, the number of machines — including IoT and smart devices, virtual machines, AI algorithms, and containers — that require machine identities is skyrocketing.
Mozilla, and other browser developers, state that these changes are important to provide better security as it:
- Allows greater agility when phasing out certificates when vulnerabilities are discovered in encryption algorithms.
- Limits a website’s exposure to compromise as private encryption keys would be changed regularly. If a private TLS certificate is stolen, a one-year validity would limit the amount of time that a threat actor could use.
- Prevents hosting providers or third parties from using a certificate for a long time after a domain is no longer used or has switched providers.
What does this mean for website owners?
- This change only affects new certificates issued on or after September 1st, 2020.
- If you have an existing certificate with a lifespan of two years, then this change will not affect that certificate, and you can continue using it until it expires.
- It does mean that when a certificate expires, any certificates issued after September 1st, 2020, will only be valid for one year.
- This change will increase administrative overhead as web site administrators will need to pay closer attention to renewal dates as their certificates will expire more frequently.
- For companies hosting many websites, this could be a logistical nightmare until automated procedures accounting for this change are put into place.
Ultimately, the only way for organizations to eliminate this external, outside risk is total visibility, comprehensive intelligence, and complete automation for TLS machine identities.
About the Author
Nilesh Gavali is an astute CISSP and CompTIA Security+ certified IT professional with 18+ years of experience in Secure Network Designing, Infrastructure & Information Security Management. Experience in implementing Enterprise-wide Information Security Standards / Frameworks and Conducting Information Security Risk Assessments based on industry standards (ISO 27001, PCI-DSS).
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.