720-891-1663
Website security certificates are what allow you to securely browse on, for example, your bank’s website. It is what is behind the “s” in HTTPS:// and that padlock icon you used to see in your browser.
Years ago website operators used to be able to buy a certificate that lasted for 10 years. Turns out that wasn’t smart because these certificates get compromised for a number of reasons and if that certificate is still good for 9 and a half years, the hackers can do a lot of damage by pretending to be you.
The theory was that there was a protocol to identify revoked certificates called the certificate revocation list or CRL but the reality is that it never lived up to user’s expectations.
A few years ago the CA/B Forum, which is made up of all of the large browser makers and certificate authorities reduced the allowed age to 3 years. At that time, if a website “presented” a certificate to a user’s browser that expired more than three years in the future, the user’s browser would not display the web page.
Apple and Google have been the two browser makers who have been pushing on this. Safari and Chrome make up most of the market and if either of them adopt a rule, websites have to comply or risk getting locked out of being visible to hundreds of millions of users.
More recently, the maximum time allowed was reduced to one year, but even with this shorter time frame, a hacker can do a lot of damage.
Given that CRLs are, in my opinion and the opinion of a lot of people who are smarter than me, terminally broken and unfixable, Apple and Google are saying enough is enough.
Apple has proposed a 45 day lifetime for certificates and that is expected to come up for a vote soon. Google, a little while back, proposed 90 days.
Some businesses are going crazy over this because they MANUALLY update thousands of certificates for larger company. The reality is that doing this manually is crazy.
There are automated techniques that allow your website to update its certificate by itself with no intervention and the most well known one, Let’s Encrypt, is even free, since Let’s encrypt is a non-profit supported by the industry.
Of course, the people who SELL certificates aren’t thrilled by this because their revenue stream will disappear if you opt for the free certificate, which millions of companies have done. There are some odd cases where those free certificates won’t work, but they are, as I said, odd.
Whether it is Apple’s 45 day proposal or Google’s 90 day one that comes up for a vote, one of these will become the next standard and if you are NOT automating this, you need to get in front of this before your website goes down. Every now and again I see a BIG company website go down for an expired certificate. You don’t want to join that crowd.
If you need help automating this, please contact us; it is pretty simple.
Credit: Helpnet Security