Stories
Slash Boxes
Comments

SoylentNews is people

Apple Drops a Bomb on Long-Life HTTPS Certificates

posted by janrinok on Monday February 24 2020, @07:05PM   Printer-friendly
from the honestly,-it's-for-your-own-good... dept.

upstart writes in with an IRC submission for SoyCow4275_:

Apple drops a bomb on long-life HTTPS certificates: Safari to snub new security certs valid for more than 13 months:

Safari will, later this year, no longer accept new HTTPS certificates that expire more than 13 months from their creation date. That means websites using long-life SSL/TLS certs issued after the cut-off point will throw up privacy errors in Apple's browser.

The policy was unveiled by the iGiant at a Certification Authority Browser Forum (CA/Browser) meeting on Wednesday. Specifically, according to those present at the confab, from September 1, any new website cert valid for more than 398 days will not be trusted by the Safari browser and instead rejected. Older certs, issued prior to the deadline, are unaffected by this rule.

By implementing the policy in Safari, Apple will, by extension, enforce it on all iOS and macOS devices. This will put pressure on website admins and developers to make sure their certs meet Apple's requirements – or risk breaking pages on a billion-plus devices and computers.

[...] Shortening the lifespan of certificates does come with some drawbacks. It has been noted that by increasing the frequency of certificate replacements, Apple and others are also making life a little more complicated for site owners and businesses that have to manage the certificates and compliance.

"Companies need to look to automation to assist with certificate deployment, renewal, and lifecycle management to reduce human overhead and the risk of error as the frequency of certificate replacement increase," Callan told us.

We note Let's Encrypt issues free HTTPS certificates that expire after 90 days, and provides tools to automate renewals, so those will be just fine – and they are used all over the web now. El Reg's cert is a year-long affair so we'll be OK.

GitHub.com uses a two-year certificate, which would fall foul of Apple's rules though it was issued before the cut-off deadline. However, it is due to be renewed by June, so there's plenty of opportunity to sort that out. Apple's website has a year-long HTTPS cert that needs renewing in October.

Microsoft is an interesting one: its dot-com's cert is a two-year affair, which expires in October. If Redmond renews it for another two years, it'll trip up over Safari's policy.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Apple Drops a Bomb on Long-Life HTTPS Certificates | Log In/Create an Account | Top | 193 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by barbara hudson on Monday February 24 2020, @08:40PM (13 children)

    by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Monday February 24 2020, @08:40PM (#961982) Journal
    Or just use another browser. This only affects Safari.
    --
    SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by DannyB on Monday February 24 2020, @08:53PM (5 children)

    by DannyB (5839) Subscriber Badge on Monday February 24 2020, @08:53PM (#961992) Journal

    It will affect everyone. Safari users are going to whine far more (about 81% more) loudly than users of other browsers. So YOU WILL be affected.

    This affects you more if you run a web site or web application than if you are someone using a web browser. If you are just browsing, then yes, by all means, switch from Safari to a browser on Linux.

    --
    Young people won't believe you if you say you used to get Netflix by US Postal Mail.

    • (Score: 2) by barbara hudson on Monday February 24 2020, @09:31PM (3 children)

      by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Monday February 24 2020, @09:31PM (#962011) Journal
      Just detect the user agent and direct them to download another browser because safari incorrectly reports certain as expired. Serve the page via http so it doesn't trigger a certificate expired notice. Problem solved. It's less than 4% or desktop and laptop users. 25% of mobile users. Let them whine to Apple for breaking the internet this time (it was Google who forced the drop to 2 year certs).
      --
      SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.

      • (Score: 2) by Pino P on Tuesday February 25 2020, @04:29AM (2 children)

        by Pino P (4721) on Tuesday February 25 2020, @04:29AM (#962222) Journal

        [Safari is] 25% of mobile users.

        It depends on the country, the language, and the overall income level of the visitors to a particular website. Industrialized anglophone countries (USA, Canada, Britain, Ireland, Australia, NZ) have a greater usage share of iOS (and thus Safari and other browsers sharing its engine) than other countries. For example, caniuse.com reports that 80.3 percent of users of tracked web browsers worldwide can play Ogg Vorbis audio [caniuse.com], but only 50.8 percent of users in the United States can. This is due to the greater usage share of iOS in the United States compared to elsewhere. And even within a country, higher-income residents of those countries are more likely to use iOS. So if your target market is high-income residents of industrialized anglophone countries, you need to accommodate Safari.

        • (Score: 2) by barbara hudson on Tuesday February 25 2020, @02:06PM (1 child)

          by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Tuesday February 25 2020, @02:06PM (#962355) Journal
          And in that case get off your arse and make a complaint about Apple's anticompetitive behaviour and unfair trade practices by falsely claiming that a valid certificate is expired. The FTC may have gone into the shitter of late, but the Europeans are still listening.
          --
          SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.

          • (Score: 2) by Pino P on Tuesday February 25 2020, @02:22PM

            by Pino P (4721) on Tuesday February 25 2020, @02:22PM (#962368) Journal

            And in that case get off your arse and make a complaint about Apple's anticompetitive behaviour and unfair trade practices

            That depends on having an administration in federal office and justices on the Supreme Court that care about "anticompetitive behaviour and unfair trade practices" in the first place. I was outvoted in 2016.

    • (Score: 2) by driverless on Tuesday February 25 2020, @11:03AM

      by driverless (4770) on Tuesday February 25 2020, @11:03AM (#962308)

      Safari users are going to whine far more (about 81% more) loudly than users of other browsers.

      I'm not sure sure in this case. The 81% whine superiority is Apple users whining about how much better their tech is than everyone else's [Source: Journal of the Bratislavan Philological Society]. In this case the tech is actually worse, so there may be much less whining, or even none at all. We'll have to wait for the study results to be published.

  • (Score: 1) by fustakrakich on Tuesday February 25 2020, @12:43AM (6 children)

    by fustakrakich (6150) on Tuesday February 25 2020, @12:43AM (#962112) Journal

    This only affects Safari.

    For now. My Netscape [Seamonkey] won't let me past expired certificates sometimes. The option to bypass it just isn't there. I had to use Chrome! The horror!

    --
    La politica e i criminali sono la stessa cosa..

    • (Score: 2) by barbara hudson on Tuesday February 25 2020, @12:57AM (2 children)

      by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Tuesday February 25 2020, @12:57AM (#962124) Journal
      Use links. No javascript spyware, no css badness. No social media "share with" icons, no emoticons. And you can pipe it through festival if you want to listen instead of read.
      --
      SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.

      • (Score: 2) by tangomargarine on Tuesday February 25 2020, @03:36PM (1 child)

        by tangomargarine (667) on Tuesday February 25 2020, @03:36PM (#962392)

        Links is an open source text and graphic web browser with a pull-down menu system.[3] It renders complex pages, has partial HTML 4.0 support (including tables and frames[4] and support for multiple character sets such as UTF-8), supports color and monochrome terminals and allows horizontal scrolling.

        It is intended for users who want to retain many typical elements of graphical user interfaces (pop-up windows, menus etc.) in a text-only environment.

        Oh great. Because having two different text browsers named "Lynx" and "Links" couldn't possibly backfire.

        --
        "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"

        • (Score: 2) by barbara hudson on Wednesday February 26 2020, @02:17AM

          by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Wednesday February 26 2020, @02:17AM (#962678) Journal
          Links has better layout support than Lynx. But both render soylentnews in "not so great" mode.

          If all the hyperlinks were after (to the right of) the main stories, instead of half on the left and half on the right, there'd be a lot less vertical scrolling to get to the stories.

          --
          SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.

    • (Score: 0) by Anonymous Coward on Tuesday February 25 2020, @09:47PM (2 children)

      by Anonymous Coward on Tuesday February 25 2020, @09:47PM (#962564)

      At work we have a server with one expired CA .. Chrome refuses to load the page. No option to bypass. Nothing. We're dead in the water until we get a replacement.

      Internet explorer gives a warning with an option to continue. This is far more useful.

      • (Score: 1) by fustakrakich on Tuesday February 25 2020, @09:51PM (1 child)

        by fustakrakich (6150) on Tuesday February 25 2020, @09:51PM (#962567) Journal

        Set the clock back

        --
        La politica e i criminali sono la stessa cosa..

        • (Score: 2) by kazzie on Wednesday February 26 2020, @07:59AM

          by kazzie (5309) Subscriber Badge on Wednesday February 26 2020, @07:59AM (#962766)

          Where's my Delorean?