Strict on Safari
Apple has recently revealed a new, more stringent policy on HTTPS certificates – whereby Safari will no longer accept them if they expire more than 13 months from their creation date.
The policy is expected to come into effect later this year, meaning that any website still using long-life SSL/TLS certificates after the cut off point will provoke privacy errors in Safari.
Attendees of the Certification Authority Browser Forum (CA/Browser) meeting in Slovakia were amongst the first to hear of the news on Wednesday, where Apple first unveiled the new rules.
It has been reported that the cut off point is 1st September 2020 – after this date, any new website certification that is valid for more than 398 days will not be trusted by Safari and therefore rejected.
As Safari runs on all iOS and macOS devices, the implementation of this policy could leave developers and website admins feeling the pressure to ensure their certifications meet the necessary requirements as set out by Apple – or risk losing visitors to their sites.
It is, however, important to note that this rule only applies to new certificates. Tim Callan, a senior fellow at PKI and SSL management firm, Sectigo, attended the meeting in Slovakia and reinforced that,
“Certificates issued prior to September 1 will have the same acceptable duration as certificates do today, which is 825 days. No action is required for these certificates.”
Whilst cutting certificate lifetimes has caused debate amongst the tech community for some time, the aim of the move by Apple is primarily to improve website security. By making sure developers use certifications with the latest cryptographic standards, and reducing the number of old, perhaps neglected, certificates, the risk of phishing and malware attacks is reduced.
However, Apple’s decision has sparked some criticism that increasing the frequency of certificate replacements makes life difficult for businesses that have to keep on top of compliance. Tim Callan commented,
“Companies need to look to automation to assist with certificate deployment, renewal, and lifecycle management to reduce human overhead and the risk of error as the frequency of certificate replacement increase”
Do you agree with Apple’s new HTTPS policy? Let us know your thoughts @hyve!