Últimas notícias

Fique informado

Maximum Lifespan of SSL/TLS Certificates is 398 Days Starting Today

4 de setembro de 2020


Facebook fala sobre o incidente de 4 de outubro

“Agora que nossas plataformas estão funcionando normalmente após a interrupção de 4 de outubro achei que valeria a pena compartilhar,”Santosh Janardhan.

6 de outubro de 2021

Let’s Encrypt root cert update catches out many big-name tech firms

A legacy certificate used by the certificate authority – the IdentTrust DST Root CA X3 – expired on September 30.

6 de outubro de 2021

Zero Trust e viagens pós-COVID ocupam o centro das atenções no Identity Week 2021

Identity Week 2021 será realizado de 22 a 23 de setembro de 2021 em Londres e reúne as mentes mais brilhantes do setor de identidades.

27 de setembro de 2021

Privacy By Design: Responding To The EU-US Privacy Shield Ruling

Last week, the European Union Court of Justice struck down the EU-US Privacy Shield agreement. Keep up with the new here on Crypto ID.

21 de julho de 2020

Starting this week, the lifespan of new TLS certificates will be limited to 398 days, a little over a year, from the previous maximum lifetime of 27 months (825 days)

In a move that’s meant to boost security, Apple, Google, and Mozilla are set to reject publicly rooted digital certificates in their respective web browsers that expire more than 13 months (or 398 days) from their creation date.

The lifespan of SSL/TLS certificates has shrunk significantly over the last decade. In 2011, the Certification Authority Browser Forum (CA/Browser Forum), a consortium of certification authorities and vendors of browser software, imposed a limit of five years, bringing down the certificate validity period from 8-10 years.

Subsequently, in 2015, it was cut short to three years and to two years again in 2018.

Although the proposal to reduce the TLS/SSL lifetimes to one year was shot down in a ballot last September, the measure has been overwhelmingly supported by the browser makers such as Apple, Google, Microsoft, Mozilla, and Opera.

Then in February this year, Apple became the first company to announce that it intends to reject new TLS issued on or after September 1 that have a validity of more than 398 days. Since then, both Google and Mozilla have followed suit to enforce similar 398-day limits.

For those issued before the enforcement date won’t be impacted, neither those that have been issued from user-added or administrator-added Root certificate authorities (CAs).

“Connections to TLS servers violating these new requirements will fail,” Apple explained in a support document. “This might cause network and app failures and prevent websites from loading.”

For its part, Google intends to reject certificates that violate the validity clause with the error “ERR_CERT_VALIDITY_TOO_LONG” and treat them as misissued.

Additionally, some SSL certificate providers, such as Digicert and Sectigo have already stopped issuing certificates with a two-year validity.

To avoid unintended consequences, Apple recommends that certificates be issued with a maximum validity of 397 days.

Why Shortent Certificate Lifespan?

Capping TLS/SSL lifetimes improve website security because it reduces the period in which compromised or bogus certificates can be exploited to mount phishing and malware attacks.

That’s not all. Mobile versions of Chrome and Firefox do not proactively check for certificate status due to performance constraints, causing websites with revoked certificates to load without giving any warning to the user.

For developers and site owners, the development is a good time to implement certificate automation using tools such as Let’s Encrypt and EFF’s CertBot, which offer an easy way to set up, issue, renew, and replace SSL without manual intervention.

“Expired certificates continue to be a massive problem, costing companies millions of dollars due to outages every year,” said Chris Hickman, the chief security officer at Keyfactor. “On top of that, more frequent expired certificate warnings may result in web visitors becoming more comfortable bypassing the security warnings and error messages.”

“However, certificate subscribers frequently forget how or when to replace certificates, causing service outages from unexpected expiration […] leaving them ill-equipped to manage these new shorter life at scale.”

Source: The Hacker News

Digital public services: How to achieve fast transformation at scale, by McKinsey & Company

Safe handling of digital identities: 5 key questions.

Ransomware Has A New And Very Valuable Hostage In Sight

Present your solution and services on Crypto ID!  

Our purpose is to attend our readers interesting, therefore, we select our articles and announcing companies. Content and advertisement should be relevant to IT market, encryption and digital identification. If your company is part of this universe, download your media kit, write to us and be part of Crypto ID!


+55 11 3881 0019