Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:30 PM
Connect Directly

Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know

Apple, Google, and Mozilla will shorten the life span for TLS certificates in a move poised to aid security but cause operational troubles.

The process of securing a site each year isn't much easier, and there is a risk the administrative process will be off-putting enough that they "simply don't bother." For many, Wilton adds, the certificate renewal comes at a financial cost that makes it even less appealing. The benefits of more frequent replacement depend on a quick, simple, affordable, and repeatable process.

How Your Organization Can Prepare
While this change won't go into effect until Sept. 1, businesses would be wise to start preparing by creating a plan, educating employees, and talking with partners to see how they're affected. 

Netskope has started to prep by reviewing its certificate architecture, how certain types of certificates are used, and ways they can simplify the process. The company has also started rotating certificates to get ahead of the error notifications and documenting throughout. Data is added into the application flow of systems and services to better track it all, Orange explains.

Changes were communicated internally to employees and externally to customers so they know what to expect from the service provider. Orange advises businesses to do the same, and chat with their own providers to learn how they'll be affected and what Netskope should be aware of. If a provider plans to make changes, the client should know what those changes will be. 

Employee education is essential and shouldn't be taken lightly, Orange says. People will see more pop-ups displaying errors; they should know why this is and what they should do. This is tricky, as they've only recently learned to check for certain icons indicating a website is secure. Now they'll need to know how to recognize they're not. The goal is behavioral change and educational awareness, versus giving employees lots of training and occasionally testing them.

"Planning and visibility, they are partners – same coin, just two different sides," he says. "If you don't know your certificate hierarchy and understand all of your digital assets that are leveraging TLS certificates, then you'll have a hard time planning what to do first and how it may ultimately impact your organization." 

In the Long Term, Shorter Life Spans
DigiCert's Coclin says this one-year validity is an "intermediate step" in gradually shrinking the life span of TLS certificates.

"We don't believe this is the final say in where they'll go in certificate lifetimes," he says. "We believe they'd like to see 90 days."

He speculates the CA/Browser Forum may eventually get down to a nine-month maximum, followed by a six-month limit, before getting to the 90-day timeline.

Related Content



Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Guru
7/31/2020 | 8:59:44 AM
Big Tech using their power to dictate to the world
Yes, I would agree shorter SSL certificate life spans are more secure, mostly due to the fact that the more times you use and encryption key to encrypt data the more vulnerable the key becomes.  There are several tactics that cause this to be a "minor" issue.  I say minor issue because the amount of work that it takes to brute force a TLS certificate is well beyond most criminals purvue.  Most are generally going to attack the server and access the private key directly before the reuse issue will be an issue.  That said, a much greater threat to all of us is the continued software vulnerabilites that routinely show up in Big Tech software.  If they really cared about security they would focus on secure software development, securing our data on their servers, and back away from the massive invasions of inviduals privacy that they all engage in.  So it is for those reasons, I believe Big Tech is trying to distract us into believing they actually care about security and in this unilateral move are using their immense power to dictate behavior to the world.  We should all worry about the motives behind every move these companies make especially, when they bypass the normal standards processes that have been developed.  
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/13/2020
Where Are the 'Great Exits' in the Data Security Market?
Dave Cole, Cofounder and CEO, Open Raven,  10/13/2020
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-19
A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and settin...
PUBLISHED: 2020-10-19
On Windows the Veyon Service before version 4.4.2 contains an unquoted service path vulnerability, allowing locally authenticated users with administrative privileges to run malicious executables with LocalSystem privileges. Since Veyon users (both students and teachers) usually don't have administr...
PUBLISHED: 2020-10-19
An exploitable denial of service vulnerability exists in the ENIP Request Path Logical Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malic...
PUBLISHED: 2020-10-19
An exploitable denial of service vulnerability exists in the ENIP Request Path Logical Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malic...
PUBLISHED: 2020-10-19
A flaw was found in Infinispan version 10, where it permits local access to controls via both REST and HotRod APIs. This flaw allows a user authenticated to the local machine to perform all operations on the caches, including the creation, update, deletion, and shutdown of the entire server.