Security Experts:

Mozilla Joins Apple, Google in Reducing TLS Certificate Lifespans

Mozilla is the latest browser maker to have announced updated policies that would reduce the lifetime of TLS (Transport Layer Security) certificates.

Currently, SSL/TLS certificates have a maximum lifespan of 825 days, but, in an attempt to ensure better protection of HTTPS connections, browser makers such as Apple, Google and Mozilla are looking into reducing that period to 398 days.

Apple was the first to make a move in this direction, by announcing earlier this year that, starting September 1, 2020, TLS server certificates should have a validity period of up to 398 days.

“This change will affect only TLS server certificates issued from the Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS. Additionally, this change will affect only TLS server certificates issued on or after September 1, 2020; any certificates issued prior to that date will not be affected by this change,” Apple said.

Last month, it was revealed that Google too will impose the limit in Chrome, also starting September 1, 2020. The company will reject certificates that violate the policy.

Now, Mozilla says that it too is ready to join the fray, explaining that the move will bring numerous security and privacy benefits: certificates using outdated or weak algorithms will be phased out faster, there will be fewer disruptions, and exposure diminished. Furthermore, certain impersonation attacks will likely be mitigated this way.

The browser maker says it will update its Root Store Policy to impose the limitation regardless of whether the CA/Browser Forum’s Ballot SC31, which discusses the issue, will pass or not.

“In preparation for updating our root store policy, we surveyed all of the certificate authorities (CAs) in our program and found that they all intend to limit TLS certificate validity periods to 398 days or less by September 1, 2020,” the organization notes.

Microsoft is the only large browser maker that has yet to announce specific plans on the matter, but it will most likely follow suit, considering the trend and the fact that its Edge browser is Chromium-based.

Most CAs have already announced plans to limit the TLS certificate validity, but many complained that having to issue certificates more often creates additional burden on them. Some also revealed plans to increase the annual fee for certificates due to increased labor cost.

Related: Browser Makers Delay Removal of TLS 1.0 and 1.1 Support

Related: Over 100,000 Fake Domains With Valid TLS Certificates Target Major Retailers

Related: Let's Encrypt Will Not Replace 1 Million Bug-Affected Certificates

view counter