In February 2020, Apple unilaterally declared that it would no longer recognize TLS certificates that were older than 398 days old.
This decision drove industry adoption of the new limitation, which will cause some headaches for IT teams. This guide quickly explains why the changes were made, and how they will affect your organization.
Driving Security Through Encryption
Historically, most organizations built hypertext transfer protocol (HTTP) sites, unless they planned to conduct financial transactions that required encryption.
The HTTP websites were easy to use and simple to set up, and the world wide web exploded in popularity. Companies that required encryption purchased a Secure Socket Layer (SSL) certificate, and enabled the HTTPS protocol to encrypt all traffic for the website.
SSL certificates verify the website owner, and contain the website’s public encryption key. This information is used by the browser to authenticate the website, enable encryption, and enable the HTTPS website address.
Unfortunately, bad actors on the web began taking advantage of unsecured HTTP sites by spoofing them, intercepting unsecured web traffic, and other malicious actions. In 2018, Google led the charge to improve internet security by flagging all HTTP sites as “not secure.”
In February 2020, Google added further security by blocking most file type downloads from HTTP websites by the end of 2020. Google seeks to force all professional websites to transition to HTTPS, which will protect the average consumer.
Types of HTTPS
Organizations may purchase three different levels of HTTPS certificates.
Domain-validated (DV) certificates provide basic encryption, only validate organizations at the domain level, and is least expensive of the three types of certificates.
Organization-validated (OV) certificates increase encryption strength, improve identity confirmation, and add the padlock & HTTPS within the browsers. Clicking on the padlock displays verified business details pulled from the certificate, and helps assure consumers of the organization’s validity.
Extended-validated (EV) certificates require a strict validation process, but offer consumers the highest assurance of the validity for the organization’s web domain. Browsers will display the secure padlock icon next to the domain for a website that has been extended validated.
Apple Seeks Improved HTTPS
Technically, you can self-certify your SSL certificates that verify your website’s and store your public encryption keys. Unfortunately, bad actors can do the same, and most people can’t tell the difference.
Browsers now check the reputation of the company issuing the SSL certificate, and issue warnings within the browser if the SSL certificate is not signed by a reputable third-party. Companies that aid in the distribution of malware or other abuses may have their SSL certificate revoked.
Furthermore, bad actors can also steal SSL certificates from companies, or use techniques to falsify certificates to make them look legitimate. These stolen or faked certificates should be revoked by certificate cuthorities (CAs). Unfortunately, that process is neither prompt or comprehensive.
Browser vendors have been pushing for shorter certificate duration to force the expiration of these bad certificates, but the CAs had been pushing back for years. In September 2019, the CAs voted down the adoption of the shorter term limit for certificates, but Apple unilaterally ignored the vote and adopted the shorter time frame.
By July 2020, Mozilla and Google both adopted Apple’s policy. Microsoft, whose Edge browser shares the Chromium browser engine, is expected to announce their adoption soon. The widespread adoption by the industry may inevitably force the CAs to adopt the same standard.
What To Do Next
Starting Sept. 1, 2020, all new SSL certificates (new or for renewal) will have a maximum effective validity of just over one year – 398 days to allow for replacement.
Technically, multi-year certificate renewals will be possible, but since the certificate must be replaced within 398 days, the Ideal Integrations team recommends that our clients stick to single-year renewals for simplicity.
For those with an existing longer term SSL certificates, don’t worry. The change will only affect new certificates. Your existing SSL certificates will remain valid and unflagged for their time remaining.
For many organizations, this change will add a some cost (annual renewals instead of biannual), and more frequent website certificate updates. With Ideal Integrations managing your web certificates, you’ll enjoy a seamless transition, as we handle the renewals and updates of certificates as we did in the past – just with more frequency.
Need to update your SSL, secure your network, or outsource your IT? Complete the form below for a free consultation with one of our experts!