Apple has announced that it will boost Safari security for secure websites from September 1st. From that date, the browser will only accept HTTPS certificates issued within the past 13 months.
While this is a technical-sounding change, it’s should provide greater protection against two separate risks …
HTTPS is a secure version of the standard web protocol HTTP. It means that communication between the user and the server is encrypted in both directions.
HTTPS protects against so-called ‘man in the middle’ attacks, where someone creates a WiFi hotspot with an innocent-sounding name, and then captures all the traffic going through it. With ordinary HTTP, all of the content – including usernames and passwords – would be in plain text. With HTTPS, all the attacker would get is gibberish.
For a browser to connect to an HTTPS website, it checks that the site has a valid security certificate. This is essentially proof of a third-party audit that the site really is encrypted.
Certificates only show that a website used the latest HTTPS encryption standard at the time it was issued, so an earlier issue date means more risk that the site is no longer using the latest security. There is also the danger of a certificate being compromised by attackers, making it worthless; reducing the time the certificate is valid also reduces this risk.
Apple’s announcement to boost Safari security
Safari used to accept certificates that were issued up to 825 days ago. As TNW reports, the company says that from 1st September, any certificate issued more than 398 days ago – 13 months – will be rejected. This means Safari will warn you that the certificate is out of date and advise against connecting to the site.
While this makes things safer for users, some suggest that Apple’s plan could have unintended consequences. Some argue that this makes websites more dependent on third-party services. Even where these are free, there is the risk that the service will go under or be compromised.
Many sites are, however, hosted on large cloud sites like WordPress, where the hosting company takes care of the certificates, so it may not be a significant issue for most sites.