Google and Apple are moving to reduce the lifespan of SSL/TLS certificates that have underpinned the security of web browsing for almost 30 years - and not everyone is happy about the change.
Although both tech giants believe the move will boost security and promote new, smarter ways of working, many experts predict "chaos", and admins fear that their workloads will multiply overnight.
With a history stretching back to the very earliest days of the World Wide Web, the Secure Socket Layer protocol was first introduced by Netscape in 1994 to improve browser security but immediately hit trouble, and version 1.0 was never released over security fears.
The improved TLS (Transport Layer Security) was introduced later. Over time, the lifespan of the certificates has dropped from up to eight years to just over one, but now both Google and Apple want to reduce that further to either 45 or 90 days.
SSL/TCL certificates are data files containing information such as domain name, certificate issuer and expiration day, secured by public key cryptography. Tthey authenticate a website, and enable encrypted connections.
But the burden of managing these (and the security risks around certificates) has meant that proposals to shorten their lifespan have not been greeted with universal enthusiasm.
Certified risk
The average enterprise now manages 3,730 TLS certificates, according to statistics from cybersecurity firm Venafi, with that number expected to increase 39% by 2026.
Its poll of 900 security leaders suggested that many organisations are unprepared for the shift, with 94% of those surveyed saying they were concerned, while 77% believed it would "cause chaos". Venafi says that 83% of organisations have been hit by certificate-related outtakes in the past year.
Currently, certificates last up to 398 days (13 months, a limit set by Apple and mirrored by major browser companies in 2020), down from a previous level of five years.
Google has proposed a measure to 'promote agility' by reducing certificate validity to 90 days, in order to prevent security vulnerabilities.
When will certificate lifespan be reduced?
Apple proposed in a draft ballot measure for the Certification Authority Browser Forum (CA/B Forum) that the lifespan of the certificates should drop to 200 days by September 2025, and then 45 days by 2027.
Google has announced that it believes reducing the certificate time will move the industry away from costly and error-prone manual processes and towards automation. It has not yet set a concrete timeline.
‘“Reducing certificate lifetime encourages automation and the adoption of practices that will drive the ecosystem away from baroque, time-consuming, and error-prone issuance processes," Google said. "These changes will allow for faster adoption of emerging security capabilities and best practices, and promote the agility required to transition the ecosystem to quantum-resistant algorithms quickly.”
Others are less than delighted about the changes. Admins on Reddit describe the new system as requiring "six times more work" and say it could mean they have to "get up at 3am every 90 days".
One complained: "It was bad enough when Apple forced us to one year and now this."
A "pivotal" moment in internet history
Tim Callan, Chief Experience Officer at certificate authority (CA) Sectigo says that the shift towards shorter certificate lifespans has the potential to be a "Y2K bug for the 21st century".
He told The Stack: "Given the increasing reliance on digital services and the growing complexity of IT environments, the potential for widespread outages due to expired certificates is significant. Organisations across various industries, from healthcare to finance, could be impacted.
"In the healthcare sector, expired certificates can disrupt critical services such as electronic health records (EHRs) and equipment. In the supply chain, expired certificates can lead to delays in deliveries and disruptions to business operations. In the airline industry, expired certificates can cause flight delays, cancellations, and inconvenience for passengers,”
The move will be a "pivotal" moment in online security, Callan believes, and with both Apple and Google on board with the idea, it’s also inevitable in the near future.
Callan said: “Automated certificate lifecycle management is going to be the norm for businesses moving forward. The gradual reduction in certificate lifespans, as outlined in [Apple’s] proposal, provides a phased approach to help businesses adapt to this new reality.
"It’s clear that Apple was listening to the public, and they constructed a proposal that took all of that feedback into account. We should know in a matter of weeks whether or not the proposal will move forward, but things seem to be moving in the right direction."
READ MORE: Expired Certificate crashed $6 trillion Bank of England system
Join peers following The Stack on LinkedIn
The introduction of shorter certificates is likely to mean hassle for some organisations, but is "essential", Kevin Bocek, Chief Innovation Officer at Venafi told The Stack.
Bocek said: “Certificate lifespans are currently far too long, which increases the likelihood that they will be compromised – over half (57%) of organisations have experienced security incidents involving compromised TLS certificates in the past year. Shortening certificate lifespans will help businesses reduce that risk.
“Yet while overall this is a positive step for the industry it is likely to bring some pain. Security teams should use this time to get 90-day ready if they are not already. Shorter lifespans will require organisations to find and renew certificates up to five times as often as they do currently. This significantly increases the chances that a vital expiry notification will be missed and trigger an outage.
“Ultimately, shortening life cycles will amplify existing challenges that many organisations face in managing and securing machine identities, like TLS certificates. As digital transformation – and the move towards more cloud-native technologies – accelerates, managing machine identities is getting harder and the volume of certificates increases.
“The good news is security teams today have machine identity security capabilities they didn’t have available just a few years ago. Security teams can get certificate lifecycle management (CLM), PKI-as-a-service and workload identity issuers all on one control plane – this eliminates the outage risk while removing the toil of managing and security certificates.”
