Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Monday February 24 2020, @07:05PM   Printer-friendly
from the honestly,-it's-for-your-own-good... dept.

Apple drops a bomb on long-life HTTPS certificates: Safari to snub new security certs valid for more than 13 months:

Safari will, later this year, no longer accept new HTTPS certificates that expire more than 13 months from their creation date. That means websites using long-life SSL/TLS certs issued after the cut-off point will throw up privacy errors in Apple's browser.

The policy was unveiled by the iGiant at a Certification Authority Browser Forum (CA/Browser) meeting on Wednesday. Specifically, according to those present at the confab, from September 1, any new website cert valid for more than 398 days will not be trusted by the Safari browser and instead rejected. Older certs, issued prior to the deadline, are unaffected by this rule.

By implementing the policy in Safari, Apple will, by extension, enforce it on all iOS and macOS devices. This will put pressure on website admins and developers to make sure their certs meet Apple's requirements – or risk breaking pages on a billion-plus devices and computers.

[...] Shortening the lifespan of certificates does come with some drawbacks. It has been noted that by increasing the frequency of certificate replacements, Apple and others are also making life a little more complicated for site owners and businesses that have to manage the certificates and compliance.

"Companies need to look to automation to assist with certificate deployment, renewal, and lifecycle management to reduce human overhead and the risk of error as the frequency of certificate replacement increase," Callan told us.

We note Let's Encrypt issues free HTTPS certificates that expire after 90 days, and provides tools to automate renewals, so those will be just fine – and they are used all over the web now. El Reg's cert is a year-long affair so we'll be OK.

GitHub.com uses a two-year certificate, which would fall foul of Apple's rules though it was issued before the cut-off deadline. However, it is due to be renewed by June, so there's plenty of opportunity to sort that out. Apple's website has a year-long HTTPS cert that needs renewing in October.

Microsoft is an interesting one: its dot-com's cert is a two-year affair, which expires in October. If Redmond renews it for another two years, it'll trip up over Safari's policy.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Informative) by Anonymous Coward on Monday February 24 2020, @09:21PM (7 children)

    by Anonymous Coward on Monday February 24 2020, @09:21PM (#962009)

    In the organisations that I've been working with, anything that needs to be done less often than once a year (and in most cases, every six months) means there isn't a decent process involved. This means things get forgotten, skipped, or just ignored because the 'guy that used to do it' no longer works here.

    When things are consistent with a relatively short period, they are not forgotten about, and become far more efficient as they are part of a larger process/effort. I recommend cert renewals (irrespective of expiration times) be done no less often that every 6 months.

    This is not the same as password changes, since the effort in a password change isn't the few minutes it takes to change the password, but the weeks afterwards that it takes to memorise/forget the new password. Out of fear, people choose weak passwords. This doesn't happen for certs, because as long as the effort is taken at all, the cert is good to go.

    Also, most organisations that have no cert process also don't have good security processes. Which means they make a 10 year cert so they can forget about it. Even if their systems are hacked (exposing the private keys), they don't both updating the certs because either they forget, or it's too onerous because they can't remember what they did the last time (assuming the same people even work there).

    Once a company has a good security policy and process, things like cert renewals are effortless. Especially with the automated tools provided the CAs these days. And thanks to LetsEncrypt, this automation is available to everyone and anyone at virtually no cost.

    Starting Score:    0  points
    Moderation   +2  
       Informative=2, Disagree=1, Total=3
    Extra 'Informative' Modifier   0  

    Total Score:   2  
  • (Score: 2) by DannyB on Monday February 24 2020, @09:28PM (6 children)

    by DannyB (5839) Subscriber Badge on Monday February 24 2020, @09:28PM (#962010) Journal

    In the organisations that I've been working with, anything that needs to be done less often than once a year (and in most cases, every six months) means there isn't a decent process involved. This means things get forgotten, skipped, or just ignored because the 'guy that used to do it' no longer works here.

    Sounds like a security problem waiting to happen.

    Maybe that is what Apple wants to fix? Although it is hard to say with Apple. I have no particular love for Apple (since about 1998).

    --
    People today are educated enough to repeat what they are taught but not to question what they are taught.
    • (Score: 4, Insightful) by barbara hudson on Monday February 24 2020, @10:34PM (2 children)

      by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Monday February 24 2020, @10:34PM (#962048) Journal
      Doesn't matter what their intentions are - they're lying to their users by saying a perfectly valid cert is invalid. Hope a bunch of sites do a class action to sue Apple for slander and defamation. On this topic, fuck Apple. Guess I'll skip the last update.
      --
      SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
      • (Score: 0) by Anonymous Coward on Tuesday February 25 2020, @03:24AM (1 child)

        by Anonymous Coward on Tuesday February 25 2020, @03:24AM (#962185)

        Is it legally actionable? Can it be said that a certificate is a "person" (like a company) and therefore...

        • (Score: 5, Interesting) by barbara hudson on Tuesday February 25 2020, @03:31AM

          by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Tuesday February 25 2020, @03:31AM (#962190) Journal
          You're the site operator and Apple is basically saying you're incompetent and your site is insecure. Even though it's fine because the certificate isn't expired. Sounds like defamation and possibly unfair trade practices.
          --
          SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
    • (Score: 0) by Anonymous Coward on Tuesday February 25 2020, @03:00AM (2 children)

      by Anonymous Coward on Tuesday February 25 2020, @03:00AM (#962172)
      So how often do you bunch change your SSH keys anyway? Every year? If no isn't that a security problem waiting to happen too?

      Meanwhile Apple should reject CA certs that have a lifespan for more than 13 months too for the same reasons. ;)
      • (Score: 2) by Chocolate on Tuesday February 25 2020, @03:27AM

        by Chocolate (8044) on Tuesday February 25 2020, @03:27AM (#962188) Journal

        No.. But maybe it should be! At ~$5 a token just think of how much money are denying hardware token makers!
        Think of the profits!

        --
        Bit-choco-coin anyone?
      • (Score: 2) by DannyB on Tuesday February 25 2020, @06:17PM

        by DannyB (5839) Subscriber Badge on Tuesday February 25 2020, @06:17PM (#962462) Journal

        I don't decide when, but I am involved with the implementation. In my case, about 1.5 to 2 years per certificate as I seem to recall.

        --
        People today are educated enough to repeat what they are taught but not to question what they are taught.