Back in February, Apple announced plans to boost HTTPS protections in Safari, with effect from September 1 this year. A new report today notes that other browsers are now following Apple’s example – but it’s not without controversy …
As we explained at the time, Apple will only accept HTTPS certificates as valid if they were issued within the past 13 months.
HTTPS is a secure version of the standard web protocol HTTP. It means that communication between the user and the server is encrypted in both directions.
HTTPS protects against so-called ‘man in the middle’ attacks, where someone creates a WiFi hotspot with an innocent-sounding name, and then captures all the traffic going through it. With ordinary HTTP, all of the content – including usernames and passwords – would be in plain text. With HTTPS, all the attacker would get is gibberish.
For a browser to connect to an HTTPS website, it checks that the site has a valid security certificate. This is essentially proof of a third-party audit that the site really is encrypted.
Certificates only show that a website used the latest HTTPS encryption standard at the time it was issued, so an earlier issue date means more risk that the site is no longer using the latest security. There is also the danger of a certificate being compromised by attackers, making it worthless; reducing the time the certificate is valid also reduces this risk.
Safari used to accept certificates that were issued up to 825 days ago. As TNW reports, the company says that from 1st September, any certificate issued more than 398 days ago – 13 months – will be rejected. This means Safari will warn you that the certificate is out of date and advise against connecting to the site.
Move to boost HTTPS protections not welcomed by all
ZDNet reports that Mozilla and Google have both announced that they will take the same action on the same date.
Following Apple’s initial announcement, Mozilla and Google have stated similar intentions to implement the same rule in their browsers.
Starting with September 1, 2020, browsers and devices from Apple, Google, and Mozilla will show errors for new TLS certificates that have a lifespan greater than 398 days.
However, while this is good news for web users, the site notes that not everyone is happy about it. Traditionally, the validity period of certificates is decided by a body known as the CA/B Forum, comprising a mix of Certificate Authorities (CAs) – the companies which issue the certificates – and browser makers.
CAs and browser companies have battled for some time, the former arguing that shorter validity creates more work for IT companies, the latter arguing it’s safer for web users. In a vote last year, the CAs won and the browser makers lost.
However, Apple decided to act unilaterally, and now other browser makers are doing the same thing. This means that the official standard of two years is effectively dead. One industry site predicted this, saying that it would make a ‘farce’ of the standards forum as ‘the browsers would basically be ruling by decree.’