Safari bans security certifications which are valid for more than 13 months

26.03.2020 39

Apple’s browser Safari will introduce a big change later this year. The popular browser will stop accepting newly issued HTTPS certificates which are valid for more than 398 days.

This change will become a reality from September 1st, 2020. Certificates that are issued after that date and are valid for more than 398 days will cause an error in the Safari browser. They will be viewed as untrusted and consequently rejected by Safari.

Safari will continue to accept the already issued certificated before September 1st, no matter how long are they valid for. After they get renewed, though, they must be below 398 days or 13 months.

Why the change?

Making certificates valid for fewer than 398 days is a change that IT giants have been discussing for quite some time, The Register reports. It’s been a topic for the CA/Browser members but so far no companies have taken action.

This now changes with Apple. By applying this rule, developers will have to update their certificates more often. This means that they will get to use new cryptographic standards more quickly, hence increasing security.

The move will also decrease the number of unused certificates which are out in the wild. They are sought after by hackers which try to use them for malicious purposes.

What’s really going on?

So far Apple hasn’t commented on the move officially. People found out about it after Apple announced it during the CA/Browser Forum in February. And it was the only member to announce and back the change. Other members, like Google, haven’t announced such changes yet.

DigiCert did comment on the move on its site. It recaps the discussions noting that Google offered the same change in August 2019, but was voted down. Now Apple is just doing the change on its own to its own properties. As Apple is a company with billions of users, though, this will undoubtedly result in sites having to comply.

What will happen?

Up until now, the max validity of certificates was/is 825 days. After Apple announced the change in February, there hasn’t been much movement from other companies.

So, it seems they are going to wait and see what the reactions of website admins and companies will be. Most will probably not be happy about the news. Especially the ones who maintain several sites.

The good news is that some cert issuers already offer automation tools. This makes it easier for them, but self-hosting might get a little trickier. It will mean that admins will have to go through the re-issuing process more often.

Also, a lot of smaller companies won’t hear about the change in time. So, they will re-issue their certificates after September 1st, with their old, longer dates. As a result, they run the risk of having their sites pop up a warning message as distrusted to their Safari visitors. Hence, losing potential visitors and customers.