Google Online Security- Industry body the CA/Browser Forum is considering a move to cut HTTPS certificate lifetime by half. First brought forward by Google’s Ryan Sleevi earlier this year, the plan would see certificates’ lifetime reduced from 27 to 13 months, according to an article on tech news site The Register.
It is by no means confirmed yet: The plan is still at a draft stage and there is no confirmation of when a vote will take place. The same idea was voted down back in 2017 when the CA/Browser Forum considered reducing lifespans from 39 to 13 months.
But in 2018, maximum certificate lifetime was cut from 39 months to 27 months, so this latest move isn’t such a huge jump.
So, is the new plan a good thing? Most people would say yes.
HTTPS certificates are essential to security because they encrypt the connection between the browser and the site and help ensure that no one is able to intervene or snoop.
Today, if a certificate is compromised for a site, an attacker could potentially perform a “man in the middle” attack to view–and possibly alter–traffic between the user and server for the remainder of the certificate lifespan, says security researcher Sean Wright.
Therefore, if a certificate is comprised, it could currently be used for malicious purposes for up to 27 months. “This is a significant amount of time,” says Wright. “By having shorter lived certificates, it reduces the window in which an adversary can use the compromised certificate to pull off attacks.”
Up to date cryptography and hashing
If certificate validity lifetime is reduced, it will also force websites to use the most up to date cryptography and hashing. This will give them a security boost as hackers become more sophisticated. At the same time, it would help to reduce fraud because stolen certificates would go out of date and become useless a year sooner.
Given that there is currently no effective means for certificate revocation, shorter lived certificates are “the best solution we currently have at our disposal,” Wright says.
But some people aren’t happy with a move to reduce the amount of time a TLS/SSL certificate is valid, namely the certificate authorities. It comes at a time of increasing popularity of services such as Let’s Encrypt, which offers free 90 day HTTPS certificates, putting pressure on certificate authorities offering paid-for certificates.