Google wants to reduce the lifespan of SSL certificates (used to secure HTTPS encrypted traffic) from the current two years to just over a year.
The proposal was made by Ryan Sleevi, Google’s representative, at a F2F meeting of the CA/B Forum in Thessaloniki, Greece, in June.
The CA/B Forum is an unofficial industry group made up of certificate authorities (CAs; companies that issue SSL certificates) and browser makers.
No vote has been held yet
Per Sleevi’s proposal, starting with March 2020, the lifespan of all newly issued SSL certificates would become 397 days (roughly a year and a month) instead of the current 825 days (about two years and three months).
No vote was held on the proposal; however, most browser vendors expressed their support for the new SSL certificate lifespan.
On the other side, certificate authorities were not too happy, to say the least. In the last decade and a half, browser makers have chipped away at the lifespan of SSL certificates, cutting it down from eight years to five, then to three, and then to two.
The last change occured in March 2018, when browser makers tried to reduce SSL certificate lifespans from three years to one, but compromised for two years after pushback from certificate authorities.
Now, barely two years later after the last change, certificate authorities feel bullied by browser makers into accepting their original plan, regardless of the 2018 vote.
DigiCert pushes back
Timothy Hollebeek, DigiCert’s representative at the CA/B Forum, has recently penned a blog post expressing the company’s position on the new proposal, which, unsurprisingly, is not in favor with Google’s plan.
“So what is the proposed security benefit that justifies this cost? It is far from clear that there is any at all,” Hollebeek said.
“This change has absolutely no effect on malicious websites, which operate for very short time periods, from a few days to a week or two at most. After that, the domain has been added to various blacklists, and the attacker moves on to a new domain and acquires new certificates.”
The DigiCert exec explains that, instead, this change to a shorter SSL certificate lifespan would create more costs for their customers (the users/buyers of SSL certs), which now have to allocate more human resources to keeping SSL certificates up to date or performining maintenance updates when one expires.
Furthermore, Hollebeek also argues that “shorter lifetime certificates allow quicker transitions when the compliance rules change” is also not a good reason because standards shouldn’t change so often in the first place.
The “SSL revocation” problem
But in a Twitter thread reacting to Hollebeck’s blog post, security researcher Scott Helme argues that the security benefits of shorter SSL certificate lifespans have nothing to do with phishing or malware sites, but instead with the SSL certificate revocation process.
Helme claims that this process is broken and that bad SSL certificates continue to live on for years after being mississued and revoked — hence the reason he argued way back in early 2018 that a shorter lifespan for SSL certificates would fix this problem because bad SSL certs would be phased out faster.
Sectigo (formerly Comodo), the biggest certificate authority on the market, has taken a more positive tone to the change, compared to DigiCert’s more aggresive contrarian stance. The company took the opportunity of the potential change to highlight its tools for automating SSL certificate renewals, instead of getting into a public fight with browser makers.
Browsers make rules
And this fight between CAs and browser makers has been happening in the shadows for years. As HashedOut, a blog dedicated to HTTPS-related news, points out, this proposal is much more about proving who controls the HTTPS landscape than everything.
“If the CAs vote this measure down, there’s a chance the browsers could act unilaterally and just force the change anyway,” HashedOut said. “That’s not without precendent, but it’s also never happened on an issue that is traditionally as collegial as this.
“If it does, it becomes fair to ask what the point of the CA/B Forum even is. Because at that point the browsers would basically be ruling by decree and the entire exercise would just be a farce.”
In the meantime, DigiCert is running an anonymous survey among its customers to see how a shortened one-year SSL certificate lifespan would impact their activity. If customers complain — and you can be sure about that — then DigiCert will most likely use the survey results to push against Google’s proposal.