×

Get your FREE copy of "The Ultimate Guide of SSL"

Download Ebook

Mozilla Reduces SSL/TLS Certificate Validity to 398 Days

Mozilla Updates Mozilla’s Root Store Policy and Reduces SSL/TLS Certificate Lifespans

Nowadays, there’s no escape from an SSL/TLS certificate. If you’ve got a website, you must have an SSL certificate. It’s that simple or else be ready to make your site visitors face “Not Secure” warning message. At worse, your website may even stop loading on popular browsers like Google Chrome or Mozilla Firefox.

SSL is mandatory due to security reasons. It helps to encrypt all types of transactions between the client and the server. However, another thing that is often forgotten is that a good security practice is renewing that certificate’s key pairs once its validity period is over. It’s one of the reasons why all these big tech giants keep on bringing new regulations into action.

mozilla-ssl-certificate-validity
Earlier in 2005, the CA/B forum implemented the rules on how SSL/TLS certificates must be issued, managed, or validated. CA/B Forum is one of the volunteer organization, which is made of two separated groups
  • CA’s (Certificate Authorities) like DigiCert, Sectigo, Thawte, GeoTrust.
  • Big giants who developed popular Web Browsers like Apple, Google, Mozilla, and Microsoft.
These browsers and CAs usually have discussions and voting for proposing any rules until the significant result comes out. Once everyone gets on the same page, then all members apply that finalized rule.

One such discussion was going form quite a while was reducing the validity period of an SSL/TLS certificate to 398 days. Though everyone hadn’t made any final decision to limit the TLS certificate with one year, Apple came out with a unilateral decision this February 2020 to limit the lifespan of the official SSL/TLS certificate to only 398 days, starting this September 1, 2020.

By agreeing to it, Google and Mozilla also made a similar decision to move forward with this decision of shifting the validity period of the SSL/TLS certificate to 398 days. And, on this July 9, 2020, Mozilla even announced it about the same on their blog.

Also, it seems like the Browser won this ongoing discussion, and now the spotlight is on Microsoft, which is expected to respond soon. And, another exciting thing is that as a browser engine, this time, Microsoft is using a Chromium engine, so Microsoft will likely support the decision.

Here’s Why Mozilla Decided to Reduce SSL/TLS Certificate Validity Period to 398 Days

According to Mozilla, the top three reasons for updating Mozilla Root Store Policy for reducing the maximum validity period of SSL/TLS certificate to 398 days from previous one 825 days are:
  • Agility
  • SSL/TLS Certificates Lifespan Is More Than Domain Ownership
  • Limited Chance of Being Exposed to Compromised Situation
According to Mozilla, the top three reasons for updating Mozilla Root Store Policy for reducing the maximum validity period of SSL/TLS certificate to 398 days from previous one 825 days are:

Let’s look into it one by one.

Agility

Certificates with lifetimes longer than 398 days delay responding to major incidents and upgrading to more secure technology.” It’s quite right. It happens. Revocation of SSL certificate is not that easy as it seems. The expiration and renewal of any given installed SSL/TLS certificate is the easiest way to replace an obsolete SSL/TLS certificate, as it’s appropriately scheduled for every SSL certificate.

Another benefit of having an SSL/TLS certificate with a validity period no more than 398 days is that it’s helpful to prevent threats that keep lingering around the entire ecosystem. And, you’re not sure what could go wrong. For example, phasing out of certificates with MD-5 took five years, or the SHA-1 signature took three years.

So, instead, it gets difficult to tackle at that given moment, it’s better to prevent it by lowering the maximum validity period of the SSL/TLS certificate. So, if anything occurs, it can be handled within a short time duration.

SSL/TLS Certificates Lifespan Is More Than Domain Ownership

Whenever you send any information on the website that has an SSL certificate installed, you can stay assure that website is sending that piece of data to an intended server and not any other.

However, one problem arises when the website owner sells its domain to someone else, or else the service provider is changed, as the holder of that SSL/TLS certificate’s private key can be impersonated till that SSL certificate is not expired. Some of the issues that can be experienced are like:

  • If someone buys any domain that was previously owned by someone and has an active SSL/TLS certificate, then there’s a chance of MITM attack with the SSL connection of that previous SSL certificate.
  • Another issue is that there’s a possibility of DoS attack on the service if its shared SSL certificate is still active, and that certificate user does not own a subject alt-name for a domain.

Limited Chance of Being Exposed to Compromised Situation

One scary situation is that we lost the private key. Similar to that, having a more extended validity period can also be a threat. Because longer validity means more chance of a private key to be compromised. Though, it’s overlooked but, it should be taken seriously, and we should limit the chance of being putting our private key in a situation where it can get compromised or else misplaced. And, having a shorter duration is one of the ways to do it. If the SSL certificate validity period is one year, then, every year, it has to be renewed, and renewing SSL certificate means new private key.

Expired SSL/TLS Certificate Is Another Major Reason

If the validity period is more extended, there are high chances of outages. It even happens with many prominent organizations. For instance, they forget to renew their SSL/TLS certificate, and it results in the website, which is not secured. Eventually, it also gives loss to companies in many other ways.

However, if it’s reduced to only one year, there will be slim chances. Because, it’ll be easier for organizations to remember that every year, they’ve to renew their certificate to keep their website safe and secure, especially companies who use OV or EV SSL/TLS certificate.

Though, one key thing to remember is that you still have plenty of time as there are some of the long-term effects that will come into effect after September 1, 2020.

FAQs

What Does It Mean for End Users?

Some applications and websites will stop working as expected to be on Apple, Mozilla, and Google if the organizations behind them do not take proactive measures to renew their SSL/TLS certificate regularly to keep their services going smoothly.

What Does It Mean for Organizations?

As an organization, you’ll no longer be able to get SSL/TLS certificates for two-years validity. Failure to renew your shorter SSL/TLS certificate means errors and warning messages to website visitors and immediate negative impact on your brand and revenue.

Does It Mean We’ve to Replace Our Existing SSL/TLS Certificate of Two-Year Validity?

No. This change will only be applied to SSL/TLS certificates being issued on or after September 1, 2020. SSL/TLS certificate, which is issued previously for two years or already installed, will not be affected until it expires.

However, once it expires and after September 1, 2020, you’ll only get one option of this 398 days validity period.

What Does It Means for Website Owners Who Have SSL/TLS Certificate Installed?

A load of site administrators will increase as they’ll have to keep a closer watch on the renewal date. Because one mistake of taking it for granted and missing on renewal date means warning messages to users and further, this type of situation will arise more often.

Though Some Good News Is There Too

Though, this new validity period of only 398 days will take place on and after September 1, 2020. But you’ll still get a chance to go with a multi-year option, but with a little twist. Yes, SSL certificate providers are already offering and will be able to continue to do so. However, the renewal process will take place every year.

In other words, you can go for three- or four-years validity.

Once the 1-year validity period gets over, you’ll have to go through the renewal process without purchasing a new one. It means you’ll be allowed to purchase the same type of SSL certificate for more than one year. You can say, purchasing a bunch of certificates and keeping it for future use, when the present certificate of 1 year gets expired.

Summary

Reducing the maximum validity period from 825 days to 398 days may not be liked by everyone. But, we’ve to understand that security shouldn’t be taken for granted. Many famous companies, such as LinkedIn has already gone through it. They’ve forgotten to renew their SSL/TLS certificate, which resulted in a warning message. Though, it’s for a minute, day, or week. If the organization is big and they’re trusted ones, especially those who rely upon OV or EV SSL/TLS certificate, consequences can be severe, and it can take a lot of time and effort to bring everything back to normal.

Whether you like it or not, this will mean something you’ve to face it. Keeping a validity period of a maximum of 398 days means you’ll remember that you’ve to do it every year, which will also make it easier for you to remember.

Disclosure: AboutSSL appreciates your continuous support. It helps us tremendously to keep moving in the competitive SSL industry. Here most of the links which direct you to buy any SSL/TLS related service or products earns us a certain percentage of referral commission. Learn More
Download Site Seal
comodo-trust-seal
SSL Checker