Heads up for businesses that use Apple’s Safari browser. Apple has taken a “bite” out of the validity period for SSL leaf certificates. Effective September 1, 2020, Safari will no longer trust SSL certificates whose validity spans more than 398 days (the equivalent of a one-year certificate, plus a 33-day renewal grace period). Users who log on to a website that is no longer trusted by Safari will see an indication to that effect.
The Details
As most operators with websites already know, an SSL certificate is a digital certificate that authenticates the identity of a website and encrypts information sent to the server using Secure Socket Layer (SSL) technology. Encryption is the process of scrambling data into an indecipherable format that can only be returned to a readable format with the proper decryption key.
Apple made its decision known at a February meeting of the Certification Authority Browser Forum (CA/Browser Forum), a voluntary association of leading browser certification authorities (CAs), Internet browser creators, and other Internet applications providers. Among the Forum’s missions is the publication of standards and rules for issuing and managing SSL certificates.
Under the umbrella of this decision, Safari will start September 1, trust only websites with a one-year SSL certificate. SSL certificates issued prior to September 1 will still be considered valid for 825 days, as is currently the case, and will remain so for their full duration. However, any existing two-year certificate will, if renewed after August 31, 2020, need to be renewed for one year in order for the website to which it applies to retain its “trusted” status in the Apple platform.
Why the Change
Entities like Apple want to reduce the maximum validity of SSL certificates in part based on the belief that the shorter the window of time during which these certificates remain “good,” the more rapidly websites will reflect security updates. A shorter window of validity is also thought to enhance websites’ security by ensuring that new keys are generated regularly.
Why Businesses Should Care
Businesses of all sizes will want to pay attention to this change–and ensure that their websites are trusted by Safari. The rationale for such an approach is strong and two-fold–maybe three-fold given recent rumors and previous history. For starters, Safari ranks high in popularity. In a report issued earlier this year, W3Counter pegged Safari’s market share at 17.7 percent as of January 2020. That’s second only to Google Chrome (58.2 percent) and ahead of Microsoft Internet Explorer and Edge (7.1 percent). Given the number of their own customers that likely use Safari, businesses would do well to ensure that it trusts their websites.
What’s more, seemingly endless media coverage of data security topics–not to mention the increasing occurrence of data breaches–is causing consumers to think very carefully about paying for goods and services online. If a business’s SSL certificate is out of date, leading customers to mistrust its website, that business will lose clients to competitors whose certificates meet the new requirements.
Additionally, word on the street is that Google may pursue a similar path when it comes to reducing the duration for which SSL certificates for websites with Chrome will remain valid. This makes sense considering that at last year’s CA/B Forum, the web browser giant introduced a ballot supporting a maximum one-year validity for SSL/TLS certificates. The ballot subsequently failed, but it seems unlikely that such a huge force as Google would forget all about the issue.
Next Steps
Streamlining and improving existing certificate management practices is a must for businesses. Moving away from manual certificate management methods and deploying a reliable certificate management solution ranks at the top of the list of best practices here.
Some CAs have come up with new certificate lifecycle automation options and subscription plans that are worth considering. These are designed to make managing shorter certificate lifecycles an easier process. Multi-year subscription-based SSL plans, for example, allow users to purchase SSL coverage for longer intervals (for example, five years) and simply re-issue their certificate each year to update it.
Continue to watch this blog for more updates on SSL certificates and other important data security/technology developments.