Remember when we warned in February Apple will crack down on long-life HTTPS certs? It's happening: Chrome, Firefox ready to join in, too

From Sept 1, new TLS certificates valid for more than 398 days will be snubbed

60 Reg comments Got Tips?

From September 1, Apple software, from Safari to macOS to iOS, will reject new HTTPS and other SSL/TLS certificates that are valid for more than 398 days, plus or minus some caveats.

If that sounds familiar, it's because we told you so in February before the iGiant even formally announced the policy. A month later, it revealed the rules with a few exceptions. For example, this policy applies to certificates issued ultimately from root CAs known to Apple's operating systems, not user or administrator-added CAs.

"Connections to TLS servers violating these new requirements will fail," Apple warned in its official note. "This might cause network and app failures and prevent websites from loading."

What this means for netizens is that websites and apps may stop working as expected on Apple gear some time after September 1, if said sites and apps renew or use new encryption certificates that last longer than 398 days. For developers and site admins, that means if you're creating or renewing certs after September 1, make sure they expire within that time limit, or they won't work as you expect in Safari, on iOS, and with other Apple software. Users may see error messages or notice connections fail and services break.

Apple Safari icon

Apple drops a bomb on long-life HTTPS certificates: Safari to snub new security certs valid for more than 13 months

READ MORE

Apple reckons this policy ensures websites and apps refresh their certs once a year, thus encouraging them to use the latest cryptographic standards, and ensures stolen certs cannot be used for long-running phishing campaigns and other shenanigans as they'll expire soon enough.

Critics, particularly commercial certificate sellers, say it burdens software makers and site owners with extra costs and hassle, and will drive folks to free services, such as Let's Encrypt – which, incidentally, offers tools to regularly and automatically renew certificates at no cost.

In any case, Google's Chrome is set to follow suit, judging by this commit to the Chromium browser engine source code last week:

Enforce publicly trusted TLS server certificates have a lifetime of 398 days or less, if they are issued on or after 2020-09-01. Certificates that violate this will be rejected with ERR_CERT_VALIDITY_TOO_LONG and will be treated as misissued.

And Mozilla is preparing to adopt the policy in its Firefox browser. Moz program manager Kathleen Wilson said in March she would have preferred broad industry consensus in favor of the policy before committing to it, though noted: "However, the ball is already rolling."

Mozilla and other tech giants previously lobbied the CA/Browser Forum – a collective of certificate issuers and browser makers – for shorter cert lifetimes. After those proposals were shot down in a vote, Apple went ahead anyway with a one-year-max policy and bypassed the industry forum, a move backed by the Chromium team. Spokespeople for Mozilla and Google were not available for further comment.

Now all eyes are on Microsoft, which is expected to make a decision on the issue by the Fall. Bear in mind, though, its Edge browser uses Chromium as its engine.

Suffice to say, certificate sellers were irritated by the change. "The unilateral decision of Apple, against the results of the ballot, makes the CA/B Forum a little bit useless, from our point of view," sniffed Spanish cert biz Firmaprofesional.

Telia added: "We can manage with the changes but we think that it is an unnecessary burden to our community and we should give more time to them to build their SSL automation, perhaps two more years." ®


Biting the hand that feeds IT © 1998–2020