Safari to reject HTTPS certificates with over thirteen months validity

Posted:
in General Discussion edited August 2020
Apple places a hard cap of 398 days on certificate validity lengths, hoping to bolster safer, more secure browsing.




Apple has announced that starting on September 1, Safari will reject any website that hosts an HTTPS certificate with more than 398 days of validity. Certificates issued before September 1 will not be subject to the change until the date of their next certificate renewal.

HTTPS certificates are designed to make sure that your connection to a website is safe and secure. If you visit a site with a rejected certificate, you'll see a privacy warning.

For the average user, this shift ensures that you're only interacting with sites that have the latest encryption and security standards. Keeping up with security standards is highly critical for websites that manage the health and financial information of their users.

The announcement took place at the 49th CA/Browser Forum, a voluntary consortium of certification authorities, according to The Next Web.

Certificate authorities routinely would issue certificates that were valid for up to five years but had reduced it to just over two years in 2017.
«1

Comments

  • Reply 1 of 24
    wozwozwozwoz Posts: 253member
    Alas, Safari is working with less and less web sites, especially important commercial ones ... such that I keep having to fire up Firefox. It's nice that Apple has desires to bolster this and that, but if it breaks the interwebs, it's not much use to anyone.
    MetriacanthosaurusElCapitandigitol
  • Reply 2 of 24
    crowleycrowley Posts: 10,363member
    Seems problematic, if two year certificates are continuing to be issued.

    Why make it 13 months instead of 24?
    MetriacanthosaurusElCapitandigitol
  • Reply 3 of 24
    gatorguygatorguy Posts: 23,423member
    crowley said:
    Seems problematic, if two year certificates are continuing to be issued.

    Why make it 13 months instead of 24?
    Link to discussion on this:
    https://twitter.com/near_nyan/status/1231696509634105344?s=20
  • Reply 4 of 24
    flydogflydog Posts: 1,094member
    crowley said:
    Seems problematic, if two year certificates are continuing to be issued.

    Why make it 13 months instead of 24?



    For the average user, this shift ensures that you're only interacting with sites that have the latest encryption and security standards. Keeping up with security standards is highly critical for websites that manage the health and financial information of their users.


    macgui
  • Reply 5 of 24
    So my websites and apps that use 2 year certificates purchased from Godaddy are going to be rejected by Safari starting in September?

    They have completely lost the plot at this company. Obviously some bizarre takeover occurred in the last few years where lawyers are now running software development.
    ITGUYINSD
  • Reply 6 of 24
    crowleycrowley Posts: 10,363member
    flydog said:
    crowley said:
    Seems problematic, if two year certificates are continuing to be issued.

    Why make it 13 months instead of 24?


    For the average user, this shift ensures that you're only interacting with sites that have the latest encryption and security standards. Keeping up with security standards is highly critical for websites that manage the health and financial information of their users.
    Very few of the websites I use manage my health or financial information.  This seems punitive and unnecessary for a lot of traffic.

    And again, why draw the line at 13 months instead of 24?  Is there any study that supports this being a more appropriate period for encryption and security standards?  Why not apply a policy proactively and appropriately at such times when there is a notable improvement in encryption and security standards?
    edited February 2020
  • Reply 7 of 24
    Surprised by this, but it's a good thing. LetsEncrypt is definitely transforming the industry.

    I still need to reboot my web servers once every 3 months so the new certificate is picked up on. Not sure why I haven't managed to properly automate the renewal, but I'll figure it out one day. :smile: 

    Soli
  • Reply 8 of 24
    Who in the actual fuck makes these moronic decisions inside of Apple? – Sites all over from small to massive use various validity certificates. It is not up to Apple to dictate how these sites and companies want to define their security, so in reality Apple is limiting own user base choice, or forcing their base to use less desirable browsers to do their business and browsing.

    Another issue is that companies selling certs usually offer better pricing for 2 year or more validity certs. 
  • Reply 9 of 24
    So my websites and apps that use 2 year certificates purchased from Godaddy are going to be rejected by Safari starting in September?

    They have completely lost the plot at this company. Obviously some bizarre takeover occurred in the last few years where lawyers are now running software development.
    I hope your programming skills are better than your reading skills:  "Certificates issued before September 1 will not be subject to the change until the date of their next certificate renewal."

    Soli
  • Reply 10 of 24
    Are those CA certificates or user certificates? 

    Such a move makes sense only if this is the CA certificate in question. The CA may send you a link: “download our yearly certificate here and install it on your server”. That would cost nothing and would not affect the duration of user certificates or the issuers’ selling plans.
    FileMakerFeller
  • Reply 11 of 24
    This is why i’m slowly leaving the platform. wouldn't  an “opt-out... I know what i’m doing and i wish to “risk” my security and continue” be a great option!? But Apple knows better than best! Thank goodness for FireFox, only issue is how Apple traps you in their ecosphere by easily not allowing keychain to transfer to firefox. I’m writing such utility. Source-code included. Happy to share if requested. 
    edited February 2020
  • Reply 12 of 24
    SoliSoli Posts: 10,033member
    crowley said:
    flydog said:
    crowley said:
    Seems problematic, if two year certificates are continuing to be issued.

    Why make it 13 months instead of 24?

    For the average user, this shift ensures that you're only interacting with sites that have the latest encryption and security standards. Keeping up with security standards is highly critical for websites that manage the health and financial information of their users.
    Very few of the websites I use manage my health or financial information.  This seems punitive and unnecessary for a lot of traffic.

    And again, why draw the line at 13 months instead of 24?  Is there any study that supports this being a more appropriate period for encryption and security standards?  Why not apply a policy proactively and appropriately at such times when there is a notable improvement in encryption and security standards?
    You want to know why Apple thinks that 2 years is too long but a year with a small grace period is more secure? That's the question?
    bestkeptsecret
  • Reply 13 of 24
    SoliSoli Posts: 10,033member
    ElCapitan said:
    Who in the actual fuck makes these moronic decisions inside of Apple? – Sites all over from small to massive use various validity certificates. It is not up to Apple to dictate how these sites and companies want to define their security, so in reality Apple is limiting own user base choice, or forcing their base to use less desirable browsers to do their business and browsing.

    Another issue is that companies selling certs usually offer better pricing for 2 year or more validity certs. 
    Good news! Apple isn't dictating what these companies do. They still have a choice in how they define their security, just as Apple has a choice in how they define their own security. If users don't like we have plenty of other choices.
  • Reply 14 of 24
    digitol said:
    This is why i’m slowly leaving the platform. wouldn't  an “opt-out... I know what i’m doing and i wish to “risk” my security and continue” be a great option!? But Apple knows better than best! Thank goodness for FireFox, only issue is how Apple traps you in their ecosphere by easily not allowing keychain to transfer to firefox. I’m writing such utility. Source-code included. Happy to share if requested. 

    I can't believe that Apple wouldn't provide a "Proceed Anyway" ability after warning you that the certificate is too old. Of course, you'd get it on every website that had an old cert.
  • Reply 15 of 24
    Soli said:
    ElCapitan said:
    Who in the actual fuck makes these moronic decisions inside of Apple? – Sites all over from small to massive use various validity certificates. It is not up to Apple to dictate how these sites and companies want to define their security, so in reality Apple is limiting own user base choice, or forcing their base to use less desirable browsers to do their business and browsing.

    Another issue is that companies selling certs usually offer better pricing for 2 year or more validity certs. 
    Good news! Apple isn't dictating what these companies do. They still have a choice in how they define their security, just as Apple has a choice in how they define their own security. If users don't like we have plenty of other choices.
    It is not good news. It will look terrible on them when Safari starts rejecting banking services, governmental and public service pages etc, etc, forcing people to install the malware that is Chrome. 

    It can only work if the industry as a whole agrees on such a switch, and executes it at the same time. 
  • Reply 16 of 24
    macguimacgui Posts: 2,194member
    Apple should go back to allowing 5yr certificates, and issuers of same, do the same. Who cares if sites update to use any encryption or privacy protection.

    Let Darwin rule the 'net. If you're not smart enough to avoid sites with dodgy security, that's your problem.

    Why should Apple worry about the security of uninformed Safari users at the expense of hampering war hardened 'net veterans? Let 'em look out for themselves. Let the clueless be cast out and room made for real 'net users.

    And yes, that's all /s.

    It can only work if the industry as a whole agrees on such a switch, and executes it at the same time. 
    Oh, puh-leeze. How often does that happen. TIme's up. Almost never, if ever, unless you define 'same time' as 'years'.

    I believe Apple played a large part in moving sites away from Flash. Some still use it, and I don't need them.

    Somebody's got to do something to improve security. I know– maybe we and Apple  shouldn't worry about it one byte. I'm sure if left alone, sites will get it all sorted in a timely manner, and we'll be no worse off for the wait.  (Yes, more /s.)
    Soli
  • Reply 17 of 24
    For the average user, this shift ensures that you're only interacting with sites that have the latest encryption and security standards.
    Not true. The browser and the server negotiate the protocol to be used for a session, and those are the aspects of the security apparatus that will demonstrate that the site's administrators are keeping up to date.

    To get a certificate, the user (an end user or an administrator of a service such as a web server):
    1. Generates a pair of keys (one public, one private) using a particular algorithm
    2. Submits a request to a certifying authority including the public key
    3. Waits while the CA performs any identity checks they choose to undertake
    4. Receives a certificate from the CA that has been signed to show validity

    The certificate is, in essence, approval that the pair of keys is unique and sufficiently complex to be used with current encryption protocols.

    The weak link in the chain, however, is the encryption protocol used in conjunction with the keys. Recent exploits have mostly involved controlling the negotiation between the browser and the server to use an older encryption protocol that was more easily broken into, or using a buffer overflow to retrieve sensitive information that would compromise the session. You can read a good summary here: https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/

    Renewing the certificate is insufficient to prevent such attacks, and thus does not ensure that the site is complying with the latest standards. It is a bit more likely that forcing administrators to renew certificates more frequently will encourage them to patch their servers on an appropriate schedule, but that cannot be relied upon.


    Like everyone else here, I am concerned that this move will cause pain that exceeds the intended benefit. But Apple have a significant amount of clout, and if this change to Safari results in more attention being paid to servers by qualified administrators then ultimately it's worthwhile.

    edited February 2020 muthuk_vanalingam
  • Reply 18 of 24

    Surprised by this, but it's a good thing. LetsEncrypt is definitely transforming the industry.

    I still need to reboot my web servers once every 3 months so the new certificate is picked up on. Not sure why I haven't managed to properly automate the renewal, but I'll figure it out one day. :smile: 

    This might be helpful (item 8 on the list) although it's dealing with a Windows server, not a Mac: https://bluefeathergroup.com/blog/how-to-use-lets-encrypt-ssl-certificates-with-filemaker-server-for-windows-v2-0/

    The Mac version is here: https://bluefeathergroup.com/blog/lets-encrypt-ssl-certificates-for-filemaker-server-for-mac/

    Feel free to ignore all the parts about FileMaker Server, since they don't apply to your use case.
  • Reply 19 of 24
    TomETomE Posts: 168member
    My Banking Site's Bill Pay Portal has rejected Safari for a long time.  I have to resort to Firefox or something else.  I have to jump hoops just to pay a bill now.
  • Reply 20 of 24
    macgui said:
    Apple should go back to allowing 5yr certificates, and issuers of same, do the same. Who cares if sites update to use any encryption or privacy protection.

    Let Darwin rule the 'net. If you're not smart enough to avoid sites with dodgy security, that's your problem.

    Why should Apple worry about the security of uninformed Safari users at the expense of hampering war hardened 'net veterans? Let 'em look out for themselves. Let the clueless be cast out and room made for real 'net users.

    And yes, that's all /s.

    It can only work if the industry as a whole agrees on such a switch, and executes it at the same time. 
    Oh, puh-leeze. How often does that happen. TIme's up. Almost never, if ever, unless you define 'same time' as 'years'.

    I believe Apple played a large part in moving sites away from Flash. Some still use it, and I don't need them.

    Somebody's got to do something to improve security. I know– maybe we and Apple  shouldn't worry about it one byte. I'm sure if left alone, sites will get it all sorted in a timely manner, and we'll be no worse off for the wait.  (Yes, more /s.)

    They will create another "you're holding it wrong" event for themselves. 
Sign In or Register to comment.