Safari will, later this year, no longer accept new HTTPS certificates that expire more than 13 months from their creation date. That means websites using long-life SSL/TLS certs issued after the cut-off point will throw up privacy errors in Apple's browser.
The policy was unveiled by the iGiant at a Certification Authority Browser Forum (CA/Browser) meeting on Wednesday. Specifically, according to those present at the confab, from September 1, any new website cert valid for more than 398 days will not be trusted by the Safari browser and instead rejected. Older certs, issued prior to the deadline, are unaffected by this rule.
By implementing the policy in Safari, Apple will, by extension, enforce it on all iOS and macOS devices. This will put pressure on website admins and developers to make sure their certs meet Apple's requirements – or risk breaking pages on a billion-plus devices and computers.
[...] Shortening the lifespan of certificates does come with some drawbacks. It has been noted that by increasing the frequency of certificate replacements, Apple and others are also making life a little more complicated for site owners and businesses that have to manage the certificates and compliance.
"Companies need to look to automation to assist with certificate deployment, renewal, and lifecycle management to reduce human overhead and the risk of error as the frequency of certificate replacement increase," Callan told us.
We note Let's Encrypt issues free HTTPS certificates that expire after 90 days, and provides tools to automate renewals, so those will be just fine – and they are used all over the web now. El Reg's cert is a year-long affair so we'll be OK.
GitHub.com uses a two-year certificate, which would fall foul of Apple's rules though it was issued before the cut-off deadline. However, it is due to be renewed by June, so there's plenty of opportunity to sort that out. Apple's website has a year-long HTTPS cert that needs renewing in October.
Microsoft is an interesting one: its dot-com's cert is a two-year affair, which expires in October. If Redmond renews it for another two years, it'll trip up over Safari's policy.
(Score: 2) by Pino P on Tuesday February 25 2020, @04:24AM (10 children)
HTTPS as deployed offers no option for signing-only cipher suites. Therefore, using HTTPS implies using encryption. As for not using HTTPS in the first place, read on:
The specification of a growing number of web platform APIs specifies that the API's functionality shall be available only through secure contexts [pineight.com]. Attempting to access the API through cleartext HTTP fails, such as by raising a security exception. A site using any of these web platform APIs needs HTTPS.
(Score: 2) by driverless on Tuesday February 25 2020, @10:52AM
This is exactly what Android does, try and access some web service via HTTP instead of HTTPS and you get "CLEARTEXT communication to a.b.c.d is not permitted by network security policy", because Google knows much better than you do what needs to be secured and what doesn't, in this case an Arduino on an isolated network that controls watering room plants. Obviously that needs TLS, because Google says so.
(Score: 3, Insightful) by barbara hudson on Tuesday February 25 2020, @02:02PM (8 children)
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 2) by Pino P on Tuesday February 25 2020, @02:12PM (3 children)
Most users are logging into at least two of webmail, Facebook, Twitter, some specialized forum, and some online store.
Are you claiming it's "just fine" for home Internet service providers to intercept connections and insert ads?
(Score: 2) by barbara hudson on Wednesday February 26 2020, @02:07AM (2 children)
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 2) by Pino P on Wednesday February 26 2020, @02:28PM (1 child)
It's still probably the case that most users are logging into at least two of webmail, some specialized forum (such as SoylentNews), some online store selling physical goods (such as eBay or Amazon), and some subscription video streaming service.
(Score: 2) by barbara hudson on Wednesday February 26 2020, @10:22PM
And I'm not overly worried about someone snooping on my posts here, or I wouldn't make them in the first place. Sheech! Not everyone is a mindless sheeple who "needs" (for some ridiculous value of "needs" streaming video, social media, and webmail because otherwise they don't know what to do with themselves. No wonder people don't talk to each other any more - they're out of practice.
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 1, Informative) by Anonymous Coward on Tuesday February 25 2020, @05:50PM (3 children)
HTTP "was" just fine.
Now HTTP is the reason to have your web page down listed on google searches.
Now HTTP is the trigger for a warning message in your browser.
Now HTTP will be flagged as insecure and possibly malicious.
Stop pretending this is the 90s. When iphone users stop browsing websites that fail to show, HTTP will no longer be "just fine" for anyone.
(Score: 2) by barbara hudson on Wednesday February 26 2020, @02:20AM (2 children)
Some people don't give a shit about site rankings in Google searches. Helps keep out those more clueless folks.
So what about a warning - it's just an icon that indicates the site doesn't use HTTPS. Studies show most people don't even see it, and those who do don't know what it means, so again, so what?
Flagged by who? That stupid icon that most people don't even see? If you're just going to a site to read crap, and yu don't need to log in, HTTPS is overkill.
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 2) by FatPhil on Wednesday February 26 2020, @10:40PM (1 child)
No idea who the person behind that site it, but I like his forthrightness.
My webserver is an original RasPi, and I sure as heck don't want any unnecessary overheads on it (for me, when I'm developing/debugging), so I'm glad some are still fighting the cult of "https everywhere" (which is gradually removing sites from the subset of the internet visible to my 10-year-old smartphone).
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by barbara hudson on Wednesday February 26 2020, @11:02PM
From your link:
I get spam all the time asking if they can interest me in having them do SEO for soylentnews.org, or paid content, or whatever. Probably targeting me because I don't use a nym. Maybe I should pretend I actually have anything to do with decisions here and collect all their "amazing offers" and post them for shits and giggles.
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.