Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Mozilla Joins Apple, Google in Reducing TLS Certificate Lifespans

Mozilla is the latest browser maker to have announced updated policies that would reduce the lifetime of TLS (Transport Layer Security) certificates.

Mozilla is the latest browser maker to have announced updated policies that would reduce the lifetime of TLS (Transport Layer Security) certificates.

Currently, SSL/TLS certificates have a maximum lifespan of 825 days, but, in an attempt to ensure better protection of HTTPS connections, browser makers such as Apple, Google and Mozilla are looking into reducing that period to 398 days.

Apple was the first to make a move in this direction, by announcing earlier this year that, starting September 1, 2020, TLS server certificates should have a validity period of up to 398 days.

“This change will affect only TLS server certificates issued from the Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS. Additionally, this change will affect only TLS server certificates issued on or after September 1, 2020; any certificates issued prior to that date will not be affected by this change,” Apple said.

Last month, it was revealed that Google too will impose the limit in Chrome, also starting September 1, 2020. The company will reject certificates that violate the policy.

Now, Mozilla says that it too is ready to join the fray, explaining that the move will bring numerous security and privacy benefits: certificates using outdated or weak algorithms will be phased out faster, there will be fewer disruptions, and exposure diminished. Furthermore, certain impersonation attacks will likely be mitigated this way.

The browser maker says it will update its Root Store Policy to impose the limitation regardless of whether the CA/Browser Forum’s Ballot SC31, which discusses the issue, will pass or not.

“In preparation for updating our root store policy, we surveyed all of the certificate authorities (CAs) in our program and found that they all intend to limit TLS certificate validity periods to 398 days or less by September 1, 2020,” the organization notes.

Advertisement. Scroll to continue reading.

Microsoft is the only large browser maker that has yet to announce specific plans on the matter, but it will most likely follow suit, considering the trend and the fact that its Edge browser is Chromium-based.

Most CAs have already announced plans to limit the TLS certificate validity, but many complained that having to issue certificates more often creates additional burden on them. Some also revealed plans to increase the annual fee for certificates due to increased labor cost.

Related: Browser Makers Delay Removal of TLS 1.0 and 1.1 Support

Related: Over 100,000 Fake Domains With Valid TLS Certificates Target Major Retailers

Related: Let’s Encrypt Will Not Replace 1 Million Bug-Affected Certificates

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.