A decision that Apple unilaterally took in February 2020 has reverberated across the browser landscape and has effectively strong-armed the Certificate Authority industry into bitterly accepting a new default lifespan of 398 days for TLS certificates.
Following Apple's initial announcement, Mozilla and Google have stated similar intentions to implement the same rule in their browsers.
Starting with September 1, 2020, browsers and devices from Apple, Google, and Mozilla will show errors for new TLS certificates that have a lifespan greater than 398 days.
The move is an important one because it not only changes how a core part of the internet works -- TLS certificates -- but also because it breaks away from normal industry practices and the cooperation between browsers and CAs.
Known as the CA/B Forum, this is an informal group made up of Certificate Authorities (CAs), the companies that issue TLS certificates used to support HTTPS traffic, and browser makers.
Since 2005, this group has been making the rules on how TLS certificates should be issued and how browsers are supposed to manage and validate them.
However, across its 15-year history, there's been one topic that has always ruffled the feathers every time it has been brought up -- and that's the lifespan of TLS certificates.
TLS lifespans started at eight years, and through the years, browser makers have chipped away at it, bringing it down to five, then to three, and then to two.
The previous change occurred in March 2018, when browser makers tried to reduce SSL certificate lifespans from three years to one but compromised for two years after an aggressive pushback from CAs.
But barely a year passed since they cut the TLS lifespan from three to two years, and browser makers tried again, to the dismay of CAs, who, at that point, thought they reached a compromise and put the matter to bed.
As ZDNet reported last summer, browser vendors tried again to bring the lifespan of TLS certificates from two to one year.
While the proposal gained 100% support from browser makers, only 35% of CAs voted to approve a one-year TLS certificate lifespan.
Chrome joins Apple in limiting public TLS certificates to 398 days starting Sept 1st.
What took place this year is, in no simpler words, a demonstration that browser makers control the CA/B Forum, and that they hold full control of the HTTPS ecosystem, and that CAs are merely participants with no actual power.
However, there is a reason why browser makers have been pushing hard for shorter TLS certificates.
The primary reason is that bad TLS certificates get cycled out faster.
However, in practice, the certificate revocation process has been a mess for years, with very few CAs revoking certificates in time, and bad certificates remaining valid for years, allowing bad guys to use and re-use the same cert for multiple operations.
Browser makers argued that by reducing the TLS certificate lifespan, these certificates would become invalid faster, even if they were issued by slacking CAs.
At one point in the future, browser makers anticipate that threat actors will be able to decrypt the HTTPS traffic they are logging today.
By securing traffic with shorter-lasting certificates, browser makers hope to make this process more resource-intensive for attackers.
D-TRUST, another CA, said that it, too, was forced to comply with this new TLS lifespan, but they made it clear they didn't see "any security gain or other benefits by shortening the certificate lifetime.".
For certificate authorities: If they want the TLS certificates they issue after this date to be recognized in Apple, Google, and Mozilla browsers, the certificates must not have a lifespan that exceeds 398 days or the certificate will issue an error and connections will be dropped.
For website owners: They'll have to renew TLS certificates yearly, instead of two years?
For end-users: They might see more HTTPS errors in their browsers.
UK
Australia
France
Germany
Russia
India
Canada