Safari to reject new SSL security certificates valid for more than 13 months


Apple has announced that its browser Safari will no longer accept new SSL HTTPS security certificates that expire more than 13 months from its creation date.

From September 1, any new website certificate valid for more than 398 days will not be trusted by the Safari browser and will get rejected. However, older certificates issued before this deadline was made by Apple, will not be affected.

This will create additional pressure on website developers as they now need to make absolutely sure that their webpages meet the new demands of the SSL security certificate policy, else it will end in their websites crashing on all the iOS and macOS devices safari browser.

The aim of this policy is to make sure that the websites are using the latest cryptographic standards, which in turn will improve website security. However, this Safari policy shortening of the lifespan of the HTTPS security certificates has its own negative side as it will make the job of the website owners a little difficult having to deal with acquiring new certificates every once in a while.

Even Firefox is in the same league of eradicating the weak HTTPS standard by blocking it in the TLS 1.0, 1.1.

No official comment has been made on Apple’s behalf regarding this new policy but Digicert’s Dead Coclin has issued a memo about this new policy which reads, “Their spokesperson said it was to ‘protect users.’ We know from prior CA/B Forum discussions that longer certificate lifetimes proved to be challenging in replacing certificates, in the case of a major security incident. Apple clearly wants to avoid an ecosystem that cannot quickly respond to major certificate-related threats.”

He further added, “Short-lived certificates improve security because they reduce the window of exposure if a TLS certificate is compromised. They also help remediate normal operational churn within organizations by ensuring yearly updates to identity such as company names, addresses, and active domains. As with any improvement, shortening of lifetimes should be balanced against the hardship required of certificate users to implement these changes.”



No comments

Powered by Blogger.