Mozilla Reduces SSL/TLS Certificate Validity to 398 Days
Mozilla Updates Mozilla’s Root Store Policy and Reduces SSL/TLS Certificate Lifespans
SSL is mandatory due to security reasons. It helps to encrypt all types of transactions between the client and the server. However, another thing that is often forgotten is that a good security practice is renewing that certificate’s key pairs once its validity period is over. It’s one of the reasons why all these big tech giants keep on bringing new regulations into action.
- CA’s (Certificate Authorities) like DigiCert, Sectigo, Thawte, GeoTrust.
- Big giants who developed popular Web Browsers like Apple, Google, Mozilla, and Microsoft.
One such discussion was going form quite a while was reducing the validity period of an SSL/TLS certificate to 398 days. Though everyone hadn’t made any final decision to limit the TLS certificate with one year, Apple came out with a unilateral decision this February 2020 to limit the lifespan of the official SSL/TLS certificate to only 398 days, starting this September 1, 2020.
By agreeing to it, Google and Mozilla also made a similar decision to move forward with this decision of shifting the validity period of the SSL/TLS certificate to 398 days. And, on this July 9, 2020, Mozilla even announced it about the same on their blog.
Also, it seems like the Browser won this ongoing discussion, and now the spotlight is on Microsoft, which is expected to respond soon. And, another exciting thing is that as a browser engine, this time, Microsoft is using a Chromium engine, so Microsoft will likely support the decision.
Here’s Why Mozilla Decided to Reduce SSL/TLS Certificate Validity Period to 398 Days
- SSL/TLS Certificates Lifespan Is More Than Domain Ownership
- Limited Chance of Being Exposed to Compromised Situation
Let’s look into it one by one.
Another benefit of having an SSL/TLS certificate with a validity period no more than 398 days is that it’s helpful to prevent threats that keep lingering around the entire ecosystem. And, you’re not sure what could go wrong. For example, phasing out of certificates with MD-5 took five years, or the SHA-1 signature took three years.
So, instead, it gets difficult to tackle at that given moment, it’s better to prevent it by lowering the maximum validity period of the SSL/TLS certificate. So, if anything occurs, it can be handled within a short time duration.
SSL/TLS Certificates Lifespan Is More Than Domain Ownership
However, one problem arises when the website owner sells its domain to someone else, or else the service provider is changed, as the holder of that SSL/TLS certificate’s private key can be impersonated till that SSL certificate is not expired. Some of the issues that can be experienced are like:
- If someone buys any domain that was previously owned by someone and has an active SSL/TLS certificate, then there’s a chance of MITM attack with the SSL connection of that previous SSL certificate.
- Another issue is that there’s a possibility of DoS attack on the service if its shared SSL certificate is still active, and that certificate user does not own a subject alt-name for a domain.
Limited Chance of Being Exposed to Compromised Situation
Expired SSL/TLS Certificate Is Another Major Reason
However, if it’s reduced to only one year, there will be slim chances. Because, it’ll be easier for organizations to remember that every year, they’ve to renew their certificate to keep their website safe and secure, especially companies who use OV or EV SSL/TLS certificate.
Though, one key thing to remember is that you still have plenty of time as there are some of the long-term effects that will come into effect after September 1, 2020.
What Does It Mean for End Users?
Some applications and websites will stop working as expected to be on Apple, Mozilla, and Google if the organizations behind them do not take proactive measures to renew their SSL/TLS certificate regularly to keep their services going smoothly.
What Does It Mean for Organizations?
As an organization, you’ll no longer be able to get SSL/TLS certificates for two-years validity. Failure to renew your shorter SSL/TLS certificate means errors and warning messages to website visitors and immediate negative impact on your brand and revenue.
Does It Mean We’ve to Replace Our Existing SSL/TLS Certificate of Two-Year Validity?
No. This change will only be applied to SSL/TLS certificates being issued on or after September 1, 2020. SSL/TLS certificate, which is issued previously for two years or already installed, will not be affected until it expires.
However, once it expires and after September 1, 2020, you’ll only get one option of this 398 days validity period.
What Does It Means for Website Owners Who Have SSL/TLS Certificate Installed?
A load of site administrators will increase as they’ll have to keep a closer watch on the renewal date. Because one mistake of taking it for granted and missing on renewal date means warning messages to users and further, this type of situation will arise more often.
Though Some Good News Is There Too
Though, this new validity period of only 398 days will take place on and after September 1, 2020. But you’ll still get a chance to go with a multi-year option, but with a little twist. Yes, SSL certificate providers are already offering and will be able to continue to do so. However, the renewal process will take place every year.
In other words, you can go for three- or four-years validity.
Once the 1-year validity period gets over, you’ll have to go through the renewal process without purchasing a new one. It means you’ll be allowed to purchase the same type of SSL certificate for more than one year. You can say, purchasing a bunch of certificates and keeping it for future use, when the present certificate of 1 year gets expired.
Whether you like it or not, this will mean something you’ve to face it. Keeping a validity period of a maximum of 398 days means you’ll remember that you’ve to do it every year, which will also make it easier for you to remember.