In its “Moving Forward, Together” roadmap, Google announced intentions to reduce the maximum validity for all public SSL/TLS certificates to 90 days from 398 days. This will affect several businesses across domains using SSL/TLS certificates to secure their websites.
Such a change in the policy will need changes across websites, certificate protocols, and a ballot proposal at the CA/B forum. Over the years, many certificate authorities like Comodo, RapidSSL, DigiCert, and others have offered SSL/TLS validity of up to 398 days. However, there have been concerns about trust issues with the longer validity of SSL certificates.
Secure Socket Layer (SSL) is a standard security protocol that secures the communication between server and browser through cryptographic encryptions. Every website owner needs to ensure site security and SSL certificates are optimal.
However, expiration of SSL certificate and renewals are vital to maintaining security, and this is where Google’s new policy will have a significant impact.
History of changes in SSL/TLS Validity
A reduction in SSL/TLS certificate validity to 13 months or 398 days was announced by Apple at the CA/Browser Forum in September 2020. Before 2015, certificates for people, businesses, and other entities had a maximum validity of five years.
In 2015, it was shortened to three years. In addition, the SSL/TLS validity was once more lowered to two years in 2018, and by 2019, a ballot to lower it to one year was proposed at the CA/Browser Forum. A new validity term of 13 months was established in 2020. However, Apple’s policy reversed those modifications.
Previously, the expiration dates for some SSL certificate types, such as Extended Validation (EV), were different from those for Organization Validation (OV) or Domain Validation (DV). However, the validity of each of these certificate kinds is now comparable.
Importance of SSL certificates
SSL certificates are essential in establishing trust and securing online communication. They serve as a digital “passport,” verifying and authenticating of the data, parties involved in a transaction in such a digital world.
SSL/TLS certificates are crucial for ensuring secure transactions and protecting sensitive data, whether an essential website or a complex system. It is also important for SEO purposes as Google considers HTTPS as one of the key ranking factors.
Impact of 90-Day SSL/TLS Validity on website security
Google has recommended a change from longer certificate durations to shorter ones with ramifications for website owners and certificate authorities (CAs).
The proposed 90-Day SSL/TLS Validity by Google is an attempt to promote automation, improve security procedures, and accelerate the adoption of cutting-edge security capabilities. By reducing the certificate lifetime, Google hopes to do away with labor-intensive and complicated issuing procedures, enable quicker certificate replacement, and foster agility.
The impact of this change on website security will be significant as website owners need to renew their SSL/TLS certificates more frequently, typically every 90 days. This requires a robust certificate management process to ensure timely renewal and avoid certificate expiration, which could result in website downtime and potential security risks.
Automation and efficiency
It is important to note that certificates are only valid for 90 days and must be renewed. One way to make this renewal process easier and more efficient is through automation tools like ACME. Automated certificate management systems can help streamline the renewal process and improve operational efficiency.
Certificate authorities and website owners must ensure these automation solutions are widely available and properly implemented for everyone to have access to them.
Renewing certificates more frequently can provide significant security benefits for organizations. Shorter certificate lifetimes reduce the risk of compromised or outdated certificates being used maliciously, and they allow for more rapid adoption of new security measures and technologies.
This can help to provide better protection against emerging threats, ultimately enhancing the overall security of an organization.
Although shorter validity periods can increase security, they may also lead to operational difficulties. Renewing a more significant number of certificates requires extra administrative effort and resources.
Organizations must guarantee that they have the appropriate procedures and systems to manage the increased workload of certificate management.
Although Google’s proposal carries weight, it needs wider industry agreement and involvement. If other browsers and CAs do not comply with Google’s goals, there may be discrepancies in the acceptance and timeline of the 90-day validity period. Yet, Google can still push for this change through its root program, which could encourage the industry to adopt shorter certificate lifetimes.
Benefits of shorter SSL/TLS validity
- Enhanced security by reducing the window of vulnerability
- Faster response to compromised certificates.
- Facilitates the adoption of emerging security technologies and best practices
- Encourages automation for efficient certificate management
- Reduces reliance on “broken” revocation-checking solutions
- Enables faster deployment of quantum-resistant algorithms
- Mitigates the risk of using outdated or compromised certificates
- Promotes regular certificate renewal and upkeep
- Supports the implementation of stricter security standards
- Provides increased agility in adapting to evolving security threats
How to navigate the transition to 90-day SSL/TLS validity?
Google’s announcement has not materialized yet, so it is crucial to check on regular updates regarding the 90-day SSL/TLS validity. Moreover, businesses must assess their SSL policy based on context and use cases within their organization.
Companies and individuals who may significantly affect 90-day SSL/TLS validity can navigate until the final implementation by Google is released.
- Stay informed about updates from Google and the CA/B Forum regarding the implementation timeline and enforcement dates.
- Begin preparations for the transition by exploring automated SSL certificate lifecycle management (CLM) solutions, such as ACME, to streamline the renewal process and ensure timely updates.
- Prioritize domain validation, as shorter certificate validity primarily affects this aspect.
- Monitor industry best practices and recommendations for SSL/TLS certificates to stay updated with evolving security requirements.
SSL/TLS validity changes affect certificate authorities and businesses relying on digital certificates for website security. Awareness is critical, so you need to check the latest updates on Google’s changes in HTTPS support and policy for SSL certificate validations.