Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Mozilla Joins Apple, Google in Reducing TLS Certificate Lifespans

Mozilla is the latest browser maker to have announced updated policies that would reduce the lifetime of TLS (Transport Layer Security) certificates.

Mozilla is the latest browser maker to have announced updated policies that would reduce the lifetime of TLS (Transport Layer Security) certificates.

Currently, SSL/TLS certificates have a maximum lifespan of 825 days, but, in an attempt to ensure better protection of HTTPS connections, browser makers such as Apple, Google and Mozilla are looking into reducing that period to 398 days.

Apple was the first to make a move in this direction, by announcing earlier this year that, starting September 1, 2020, TLS server certificates should have a validity period of up to 398 days.

“This change will affect only TLS server certificates issued from the Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS. Additionally, this change will affect only TLS server certificates issued on or after September 1, 2020; any certificates issued prior to that date will not be affected by this change,” Apple said.

Last month, it was revealed that Google too will impose the limit in Chrome, also starting September 1, 2020. The company will reject certificates that violate the policy.

Now, Mozilla says that it too is ready to join the fray, explaining that the move will bring numerous security and privacy benefits: certificates using outdated or weak algorithms will be phased out faster, there will be fewer disruptions, and exposure diminished. Furthermore, certain impersonation attacks will likely be mitigated this way.

The browser maker says it will update its Root Store Policy to impose the limitation regardless of whether the CA/Browser Forum’s Ballot SC31, which discusses the issue, will pass or not.

“In preparation for updating our root store policy, we surveyed all of the certificate authorities (CAs) in our program and found that they all intend to limit TLS certificate validity periods to 398 days or less by September 1, 2020,” the organization notes.

Microsoft is the only large browser maker that has yet to announce specific plans on the matter, but it will most likely follow suit, considering the trend and the fact that its Edge browser is Chromium-based.

Most CAs have already announced plans to limit the TLS certificate validity, but many complained that having to issue certificates more often creates additional burden on them. Some also revealed plans to increase the annual fee for certificates due to increased labor cost.

Related: Browser Makers Delay Removal of TLS 1.0 and 1.1 Support

Related: Over 100,000 Fake Domains With Valid TLS Certificates Target Major Retailers

Related: Let’s Encrypt Will Not Replace 1 Million Bug-Affected Certificates

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.