SoylentNews is people
SoylentNews
from the honestly,-it's-for-your-own-good... dept.
Safari will, later this year, no longer accept new HTTPS certificates that expire more than 13 months from their creation date. That means websites using long-life SSL/TLS certs issued after the cut-off point will throw up privacy errors in Apple's browser.
The policy was unveiled by the iGiant at a Certification Authority Browser Forum (CA/Browser) meeting on Wednesday. Specifically, according to those present at the confab, from September 1, any new website cert valid for more than 398 days will not be trusted by the Safari browser and instead rejected. Older certs, issued prior to the deadline, are unaffected by this rule.
By implementing the policy in Safari, Apple will, by extension, enforce it on all iOS and macOS devices. This will put pressure on website admins and developers to make sure their certs meet Apple's requirements – or risk breaking pages on a billion-plus devices and computers.
[...] Shortening the lifespan of certificates does come with some drawbacks. It has been noted that by increasing the frequency of certificate replacements, Apple and others are also making life a little more complicated for site owners and businesses that have to manage the certificates and compliance.
"Companies need to look to automation to assist with certificate deployment, renewal, and lifecycle management to reduce human overhead and the risk of error as the frequency of certificate replacement increase," Callan told us.
We note Let's Encrypt issues free HTTPS certificates that expire after 90 days, and provides tools to automate renewals, so those will be just fine – and they are used all over the web now. El Reg's cert is a year-long affair so we'll be OK.
GitHub.com uses a two-year certificate, which would fall foul of Apple's rules though it was issued before the cut-off deadline. However, it is due to be renewed by June, so there's plenty of opportunity to sort that out. Apple's website has a year-long HTTPS cert that needs renewing in October.
Microsoft is an interesting one: its dot-com's cert is a two-year affair, which expires in October. If Redmond renews it for another two years, it'll trip up over Safari's policy.
(Score: 2) by Bot on Monday February 24 2020, @08:42PM (1 child)
How many certs were brute-forced last year, among those with recent encryption schemes?
So, what is apple wanting to prevent?
We were pushed to https because the browsers happily execute code from wherever. But https everywhere is a monoculture, and if something were to happen to them (or to their ability to work with you) you are at the mercy of the certificate vendors, those that charge you for numbers a 20 year old PC can churn out no probs.
It is our fault. We submitted to apple, microsoft, android phones, and this is one of our prizes.
We should not let corporations eat away at our infrastructure. With the help of legislators.
There are technical means to certify a page as coming from an entity? I guess so. They are inconvenient? I guess so. Still better than digging your own grave by giving money to entities that get to control your infrastructure.
Account abandoned.
(Score: 1, Interesting) by Anonymous Coward on Monday February 24 2020, @09:34PM
No one (well maybe except the NSA with weak 512 bit RSA certs) brute forces certs. The private keys are extracted after a system is hacked or otherwise compromised (eg. Heartbleed). Or a cert is issued to a rogue actor after a fake application is made. Or a cert authority accidentally leaks private keys (eg. Trustico - yeah this was a major security fail 101).
If this happens on hugely long keys, the revocation lists are forced to grow, and in many cases, revocation lists are not properly maintained, distributed, or available to the browser when required. Expiration is the best way to make sure a cert is no longer useful to a rogue actor.