Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

7/30/2020
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know

Apple, Google, and Mozilla will shorten the life span for TLS certificates in a move poised to aid security but cause operational troubles.

The process of securing a site each year isn't much easier, and there is a risk the administrative process will be off-putting enough that they "simply don't bother." For many, Wilton adds, the certificate renewal comes at a financial cost that makes it even less appealing. The benefits of more frequent replacement depend on a quick, simple, affordable, and repeatable process.

How Your Organization Can Prepare
While this change won't go into effect until Sept. 1, businesses would be wise to start preparing by creating a plan, educating employees, and talking with partners to see how they're affected. 

Netskope has started to prep by reviewing its certificate architecture, how certain types of certificates are used, and ways they can simplify the process. The company has also started rotating certificates to get ahead of the error notifications and documenting throughout. Data is added into the application flow of systems and services to better track it all, Orange explains.

Changes were communicated internally to employees and externally to customers so they know what to expect from the service provider. Orange advises businesses to do the same, and chat with their own providers to learn how they'll be affected and what Netskope should be aware of. If a provider plans to make changes, the client should know what those changes will be. 

Employee education is essential and shouldn't be taken lightly, Orange says. People will see more pop-ups displaying errors; they should know why this is and what they should do. This is tricky, as they've only recently learned to check for certain icons indicating a website is secure. Now they'll need to know how to recognize they're not. The goal is behavioral change and educational awareness, versus giving employees lots of training and occasionally testing them.

"Planning and visibility, they are partners – same coin, just two different sides," he says. "If you don't know your certificate hierarchy and understand all of your digital assets that are leveraging TLS certificates, then you'll have a hard time planning what to do first and how it may ultimately impact your organization." 

In the Long Term, Shorter Life Spans
DigiCert's Coclin says this one-year validity is an "intermediate step" in gradually shrinking the life span of TLS certificates.

"We don't believe this is the final say in where they'll go in certificate lifetimes," he says. "We believe they'd like to see 90 days."

He speculates the CA/Browser Forum may eventually get down to a nine-month maximum, followed by a six-month limit, before getting to the 90-day timeline.

Related Content

 

 

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
dwrightetc
50%
50%
dwrightetc,
User Rank: Guru
7/31/2020 | 8:59:44 AM
Big Tech using their power to dictate to the world
Yes, I would agree shorter SSL certificate life spans are more secure, mostly due to the fact that the more times you use and encryption key to encrypt data the more vulnerable the key becomes.  There are several tactics that cause this to be a "minor" issue.  I say minor issue because the amount of work that it takes to brute force a TLS certificate is well beyond most criminals purvue.  Most are generally going to attack the server and access the private key directly before the reuse issue will be an issue.  That said, a much greater threat to all of us is the continued software vulnerabilites that routinely show up in Big Tech software.  If they really cared about security they would focus on secure software development, securing our data on their servers, and back away from the massive invasions of inviduals privacy that they all engage in.  So it is for those reasons, I believe Big Tech is trying to distract us into believing they actually care about security and in this unilateral move are using their immense power to dictate behavior to the world.  We should all worry about the motives behind every move these companies make especially, when they bypass the normal standards processes that have been developed.  
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21574
PUBLISHED: 2021-06-24
Dell BIOSConnect feature contains a buffer overflow vulnerability. An authenticated malicious admin user with local access to the system may potentially exploit this vulnerability to run arbitrary code and bypass UEFI restrictions.
CVE-2021-32708
PUBLISHED: 2021-06-24
Flysystem is an open source file storage library for PHP. The whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely. The conditions are: A user is allowed to supply the pa...
CVE-2020-18667
PUBLISHED: 2021-06-24
SQL Injection vulnerability in WebPort <=1.19.1 via the new connection, parameter name in type-conn.
CVE-2021-21571
PUBLISHED: 2021-06-24
Dell UEFI BIOS https stack leveraged by the Dell BIOSConnect feature and Dell HTTPS Boot feature contains an improper certificate validation vulnerability. A remote unauthenticated attacker may exploit this vulnerability using a person-in-the-middle attack which may lead to a denial of service and p...
CVE-2021-21572
PUBLISHED: 2021-06-24
Dell BIOSConnect feature contains a buffer overflow vulnerability. An authenticated malicious admin user with local access to the system may potentially exploit this vulnerability to run arbitrary code and bypass UEFI restrictions.