Google wants to reduce lifespan for HTTPS certificates to one year


Close-up of a browser window showing lock icon during SSL connection

Getty Images/iStockphoto

Google wants to reduce the lifespan of SSL certificates (used to secure HTTPS encrypted traffic) from the current two years to just over a year.

The proposal was made by Ryan Sleevi, Google’s representative, at a F2F meeting of the CA/B Forum in Thessaloniki, Greece, in June.

The CA/B Forum is an unofficial industry group made up of certificate authorities (CAs; companies that issue SSL certificates) and browser makers.

No vote has been held yet

Per Sleevi’s proposal, starting with March 2020, the lifespan of all newly issued SSL certificates would become 397 days (roughly a year and a month) instead of the current 825 days (about two years and three months).

No vote was held on the proposal; however, most browser vendors expressed their support for the new SSL certificate lifespan.

On the other side, certificate authorities were not too happy, to say the least. In the last decade and a half, browser makers have chipped away at the lifespan of SSL certificates, cutting it down from eight years to five, then to three, and then to two.

The last change occured in March 2018, when browser makers tried to reduce SSL certificate lifespans from three years to one, but compromised for two years after pushback from certificate authorities.

Now, barely two years later after the last change, certificate authorities feel bullied by browser makers into accepting their original plan, regardless of the 2018 vote.

DigiCert pushes back

Timothy Hollebeek, DigiCert’s representative at the CA/B Forum, has recently penned a blog post expressing the company’s position on the new proposal, which, unsurprisingly, is not in favor with Google’s plan.

“So what is the proposed security benefit that justifies this cost? It is far from clear that there is any at all,” Hollebeek said.

“This change has absolutely no effect on malicious websites, which operate for very short time periods, from a few days to a week or two at most. After that, the domain has been added to various blacklists, and the attacker moves on to a new domain and acquires new certificates.”

The DigiCert exec explains that, instead, this change to a shorter SSL certificate lifespan would create more costs for their customers (the users/buyers of SSL certs), which now have to allocate more human resources to keeping SSL certificates up to date or performining maintenance updates when one expires.

Furthermore, Hollebeek also argues that “shorter lifetime certificates allow quicker transitions when the compliance rules change” is also not a good reason because standards shouldn’t change so often in the first place.

The “SSL revocation” problem

But in a Twitter thread reacting to Hollebeck’s blog post, security researcher Scott Helme argues that the security benefits of shorter SSL certificate lifespans have nothing to do with phishing or malware sites, but instead with the SSL certificate revocation process.

Helme claims that this process is broken and that bad SSL certificates continue to live on for years after being mississued and revoked — hence the reason he argued way back in early 2018 that a shorter lifespan for SSL certificates would fix this problem because bad SSL certs would be phased out faster.

Sectigo (formerly Comodo), the biggest certificate authority on the market, has taken a more positive tone to the change, compared to DigiCert’s more aggresive contrarian stance. The company took the opportunity of the potential change to highlight its tools for automating SSL certificate renewals, instead of getting into a public fight with browser makers.

Browsers make rules

And this fight between CAs and browser makers has been happening in the shadows for years. As HashedOut, a blog dedicated to HTTPS-related news, points out, this proposal is much more about proving who controls the HTTPS landscape than everything.

“If the CAs vote this measure down, there’s a chance the browsers could act unilaterally and just force the change anyway,” HashedOut said. “That’s not without precendent, but it’s also never happened on an issue that is traditionally as collegial as this.

“If it does, it becomes fair to ask what the point of the CA/B Forum even is. Because at that point the browsers would basically be ruling by decree and the entire exercise would just be a farce.”

In the meantime, DigiCert is running an anonymous survey among its customers to see how a shortened one-year SSL certificate lifespan would impact their activity. If customers complain — and you can be sure about that — then DigiCert will most likely use the survey results to push against Google’s proposal.

Related cybersecurity coverage:

About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

E-Crypto News Executive Interviews

Automated trading with HaasBot Crypto Trading Bots

Crypto Scams

Millions in Cryptocurrency Stolen by Scammers in the Last Month According to Tenable Research
November 24, 2021
Behind The Scenes: How this Crypto Community Responded to + $50m Hack
October 18, 2021
Crypto Scams
Crypto Scams Still Persistent In 2021, SEC Warns About Red Flags To Watch
September 9, 2021
Poly Network
Here’s How Hackers Stole Over $600 million in the Poly Network Attack
August 12, 2021
The World’s Most Infamous Crypto Hacks and Scams
July 31, 2021

Blockchain/Cryptocurrency Questions and Answers

Crypto casinos
How Does Bitcoin Casino Work + 2021 Beginner’s Guide
November 8, 2021
How to Buy and Sell Cryptocurrency
November 8, 2021
What Are Bitcoin Futures And How Will They Work In 2022?
November 4, 2021
The Unconventional Guide to Ethereum
October 28, 2021
ICo Presale
The Science Behind ICO Presales…
October 14, 2021

CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin48,125 1.93 % 2.36 % 15.92 %
Ethereum4,043.0 1.71 % 2.98 % 5.76 %
Binance Coin555.73 0.83 % 2.80 % 9.11 %
Tether0.9986 0.03 % 0.08 % 0.23 %
Solana182.68 2.57 % 7.46 % 8.87 %
Cardano1.310 2.16 % 4.66 % 18.01 %
USD Coin1.000 0.14 % 0.20 % 0.17 %
XRP0.7722 2.42 % 7.36 % 20.13 %
Polkadot30.87 2.19 % 17.29 % 10.73 %
Terra64.18 1.19 % 12.48 % 28.44 %

Bitcoin (BTC) $ 47,754.00
Ethereum (ETH) $ 3,996.16
Binance Coin (BNB) $ 551.09
Tether (USDT) $ 0.98997
Solana (SOL) $ 182.32
Cardano (ADA) $ 1.30
USD Coin (USDC) $ 0.990865
XRP (XRP) $ 0.77179
Polkadot (DOT) $ 26.20
Terra (LUNA) $ 62.64