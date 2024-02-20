from the honestly,-it's-for-your-own-good... dept.
Apple drops a bomb on long-life HTTPS certificates: Safari to snub new security certs valid for more than 13 months:
Safari will, later this year, no longer accept new HTTPS certificates that expire more than 13 months from their creation date. That means websites using long-life SSL/TLS certs issued after the cut-off point will throw up privacy errors in Apple's browser.
The policy was unveiled by the iGiant at a Certification Authority Browser Forum (CA/Browser) meeting on Wednesday. Specifically, according to those present at the confab, from September 1, any new website cert valid for more than 398 days will not be trusted by the Safari browser and instead rejected. Older certs, issued prior to the deadline, are unaffected by this rule.
By implementing the policy in Safari, Apple will, by extension, enforce it on all iOS and macOS devices. This will put pressure on website admins and developers to make sure their certs meet Apple's requirements – or risk breaking pages on a billion-plus devices and computers.
[...] Shortening the lifespan of certificates does come with some drawbacks. It has been noted that by increasing the frequency of certificate replacements, Apple and others are also making life a little more complicated for site owners and businesses that have to manage the certificates and compliance.
"Companies need to look to automation to assist with certificate deployment, renewal, and lifecycle management to reduce human overhead and the risk of error as the frequency of certificate replacement increase," Callan told us.
We note Let's Encrypt issues free HTTPS certificates that expire after 90 days, and provides tools to automate renewals, so those will be just fine – and they are used all over the web now. El Reg's cert is a year-long affair so we'll be OK.
GitHub.com uses a two-year certificate, which would fall foul of Apple's rules though it was issued before the cut-off deadline. However, it is due to be renewed by June, so there's plenty of opportunity to sort that out. Apple's website has a year-long HTTPS cert that needs renewing in October.
Microsoft is an interesting one: its dot-com's cert is a two-year affair, which expires in October. If Redmond renews it for another two years, it'll trip up over Safari's policy.
(Score: 0) by Anonymous Coward on Monday February 24, @07:19PM (1 child)
Only those catering to hipsters will be impacted.
(Score: 0) by Anonymous Coward on Monday February 24, @07:55PM
Only if it's an Apple approved website that didn't miss their Apple membership dues.
(Score: 5, Insightful) by bradley13 on Monday February 24, @07:45PM (2 children)
This is like the asinine requirement to change your password frequently. It doesn't increase security, but it does cause a lot of hassle.
Worse: it means that you must build in a mechanism to update certificates into *everything* - which is itself a risk factor. Depending on the projected lifetime of a system, it may well be safer to install a long-term certificate, rather than opening a new attack vector through an update mechanism.
On top of which: this is non-standard behavior. Who does Apple think they are? Microsoft from the 1990s?
Everyone is somebody else's weirdo.
(Score: 2) by barbara hudson on Monday February 24, @08:02PM
(Score: 3, Insightful) by knarf on Monday February 24, @08:28PM
They'll probably launch Apple-certified long term certificates for a ....special... price which circumvent this limitation. Apple gets another few million, their flock will laud their daring incredibly amazing initiative, rinse, repeat.
(Score: 3, Insightful) by sjames on Monday February 24, @08:11PM (1 child)
Thanks to Apple and co telling us we're just little children and need to obey the rules they set, security goes out the window. The riskiest time in the life cycle of a cert is when it is issued and installed. Apple just unilaterally doubled or tripled that risk.
The most suspicious occurrence for a cert is for it to suddenly change. Note how the user is not even informed when that happens.
For many embedded devices, particularly those that should be on a private LAN with no route to the internet, the correct time to update their cert is NEVER. The correct number of flaming hoops to make users of such systems jump through to have a secure connection is ZERO.
We have quite enough problems getting security consistently implemented now. Making it a bigger pain in the ass will NOT help the situation.
(Score: 2) by SomeGuy on Monday February 24, @08:35PM
Time to go back to good old fashion HTTP.