Stories
Slash Boxes
Comments

SoylentNews is people

Apple Drops a Bomb on Long-Life HTTPS Certificates

posted by janrinok on Monday February 24 2020, @07:05PM   Printer-friendly
from the honestly,-it's-for-your-own-good... dept.

upstart writes in with an IRC submission for SoyCow4275_:

Apple drops a bomb on long-life HTTPS certificates: Safari to snub new security certs valid for more than 13 months:

Safari will, later this year, no longer accept new HTTPS certificates that expire more than 13 months from their creation date. That means websites using long-life SSL/TLS certs issued after the cut-off point will throw up privacy errors in Apple's browser.

The policy was unveiled by the iGiant at a Certification Authority Browser Forum (CA/Browser) meeting on Wednesday. Specifically, according to those present at the confab, from September 1, any new website cert valid for more than 398 days will not be trusted by the Safari browser and instead rejected. Older certs, issued prior to the deadline, are unaffected by this rule.

By implementing the policy in Safari, Apple will, by extension, enforce it on all iOS and macOS devices. This will put pressure on website admins and developers to make sure their certs meet Apple's requirements – or risk breaking pages on a billion-plus devices and computers.

[...] Shortening the lifespan of certificates does come with some drawbacks. It has been noted that by increasing the frequency of certificate replacements, Apple and others are also making life a little more complicated for site owners and businesses that have to manage the certificates and compliance.

"Companies need to look to automation to assist with certificate deployment, renewal, and lifecycle management to reduce human overhead and the risk of error as the frequency of certificate replacement increase," Callan told us.

We note Let's Encrypt issues free HTTPS certificates that expire after 90 days, and provides tools to automate renewals, so those will be just fine – and they are used all over the web now. El Reg's cert is a year-long affair so we'll be OK.

GitHub.com uses a two-year certificate, which would fall foul of Apple's rules though it was issued before the cut-off deadline. However, it is due to be renewed by June, so there's plenty of opportunity to sort that out. Apple's website has a year-long HTTPS cert that needs renewing in October.

Microsoft is an interesting one: its dot-com's cert is a two-year affair, which expires in October. If Redmond renews it for another two years, it'll trip up over Safari's policy.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Apple Drops a Bomb on Long-Life HTTPS Certificates | Log In/Create an Account | Top | 193 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by All Your Lawn Are Belong To Us on Tuesday February 25 2020, @11:03AM (5 children)

    by All Your Lawn Are Belong To Us (6553) on Tuesday February 25 2020, @11:03AM (#962309) Journal

    I think you have that a little backwards, if I understand the summary. You can't use Safari to talk to embedded systems any more unless you're within 12 months of whatever expiration date they set, not within 12 months of start uptime.

    Even then, if you can get dating on the cert maybe you could just edit your system time to link up with it? You wouldn't do that for the general web, but for a SCADA/IoT/embedded device maybe you would. That, and the earlier, is predicated on Apple looking at the expiration date of the cert only and comparing to today, not taking the issue date/expiration date and calculating the difference.

    If it were universal that might even be a way to foil script-kiddie level hacks trying to use browsers for IoT stuff. Give your certs some ridiculous dating so no browser will recognize it unless your clock is changed to match. It's not really security but it is a layer of obfuscation.

    --
    This sig for rent.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 3, Interesting) by driverless on Tuesday February 25 2020, @11:11AM (4 children)

    by driverless (4770) on Tuesday February 25 2020, @11:11AM (#962314)

    Doesn't work because it would break all Internet sites with correct times because cert, CRL, and OCSP times would be out. Another cool security feature, your clock is off so the CRL is future-dated so we'll assume the cert is invalid and won't let you connect. Or at least Firefox does that.

    • (Score: 2) by Pino P on Tuesday February 25 2020, @02:28PM (3 children)

      by Pino P (4721) on Tuesday February 25 2020, @02:28PM (#962373) Journal

      Then use one clock setting to connect to SCADA and a different clock setting to connect to public websites.

      • (Score: 3, Informative) by tangomargarine on Tuesday February 25 2020, @03:43PM (2 children)

        by tangomargarine (667) on Tuesday February 25 2020, @03:43PM (#962397)

        We're going off into the weeds here. The far simpler solution is for Safari to not be dumb.

        --
        "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"

        • (Score: 2) by Pino P on Tuesday February 25 2020, @08:45PM (1 child)

          by Pino P (4721) on Tuesday February 25 2020, @08:45PM (#962539) Journal

          "To not be dumb" is a tall task for Safari or any other proprietary or tivoized software.

          • (Score: 2) by driverless on Tuesday February 25 2020, @11:24PM

            by driverless (4770) on Tuesday February 25 2020, @11:24PM (#962602)

            Or for security people in general. Security people are supposed to provide guide rails, but most of the time they just make a roadblock.