Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

7/30/2020
06:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know

Apple, Google, and Mozilla will shorten the life span for TLS certificates in a move poised to aid security but cause operational troubles.

The process of securing a site each year isn't much easier, and there is a risk the administrative process will be off-putting enough that they "simply don't bother." For many, Wilton adds, the certificate renewal comes at a financial cost that makes it even less appealing. The benefits of more frequent replacement depend on a quick, simple, affordable, and repeatable process.

How Your Organization Can Prepare
While this change won't go into effect until Sept. 1, businesses would be wise to start preparing by creating a plan, educating employees, and talking with partners to see how they're affected. 

Netskope has started to prep by reviewing its certificate architecture, how certain types of certificates are used, and ways they can simplify the process. The company has also started rotating certificates to get ahead of the error notifications and documenting throughout. Data is added into the application flow of systems and services to better track it all, Orange explains.

Changes were communicated internally to employees and externally to customers so they know what to expect from the service provider. Orange advises businesses to do the same, and chat with their own providers to learn how they'll be affected and what Netskope should be aware of. If a provider plans to make changes, the client should know what those changes will be. 

Employee education is essential and shouldn't be taken lightly, Orange says. People will see more pop-ups displaying errors; they should know why this is and what they should do. This is tricky, as they've only recently learned to check for certain icons indicating a website is secure. Now they'll need to know how to recognize they're not. The goal is behavioral change and educational awareness, versus giving employees lots of training and occasionally testing them.

"Planning and visibility, they are partners – same coin, just two different sides," he says. "If you don't know your certificate hierarchy and understand all of your digital assets that are leveraging TLS certificates, then you'll have a hard time planning what to do first and how it may ultimately impact your organization." 

In the Long Term, Shorter Life Spans
DigiCert's Coclin says this one-year validity is an "intermediate step" in gradually shrinking the life span of TLS certificates.

"We don't believe this is the final say in where they'll go in certificate lifetimes," he says. "We believe they'd like to see 90 days."

He speculates the CA/Browser Forum may eventually get down to a nine-month maximum, followed by a six-month limit, before getting to the 90-day timeline.

Related Content

 

 

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
dwrightetc
50%
50%
dwrightetc,
User Rank: Guru
7/31/2020 | 8:59:44 AM
Big Tech using their power to dictate to the world
Yes, I would agree shorter SSL certificate life spans are more secure, mostly due to the fact that the more times you use and encryption key to encrypt data the more vulnerable the key becomes.  There are several tactics that cause this to be a "minor" issue.  I say minor issue because the amount of work that it takes to brute force a TLS certificate is well beyond most criminals purvue.  Most are generally going to attack the server and access the private key directly before the reuse issue will be an issue.  That said, a much greater threat to all of us is the continued software vulnerabilites that routinely show up in Big Tech software.  If they really cared about security they would focus on secure software development, securing our data on their servers, and back away from the massive invasions of inviduals privacy that they all engage in.  So it is for those reasons, I believe Big Tech is trying to distract us into believing they actually care about security and in this unilateral move are using their immense power to dictate behavior to the world.  We should all worry about the motives behind every move these companies make especially, when they bypass the normal standards processes that have been developed.  
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12777
PUBLISHED: 2020-08-10
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
CVE-2020-12778
PUBLISHED: 2020-08-10
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
CVE-2020-12779
PUBLISHED: 2020-08-10
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
CVE-2020-12780
PUBLISHED: 2020-08-10
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
CVE-2020-12781
PUBLISHED: 2020-08-10
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.