SSL CERTIFICATE VALIDITY IS NOW CAPPED AT A MAXIMUM OF 2 YEARS
The CA/Browser Forum, an industry body made up of Certificate Authorities (CAs), web browsers and operating systems, recently passed ballot 193 to reduce the maximum validity period for SSL certificates to 2 years (825 days, to be specific). Prior to this, the maximum validity was 3 years (39 months) for Domain Validated (DV) and Organization Validated (OV) certificates; Extended Validation (EV) certificates have always been capped at 2 years.
The change goes into effect March 1, 2018, but we will comply with the new set of rules by February 26th, 2018.
WHY REDUCE SSL VALIDITY PERIODS?
The CA/Browser Forum is responsible for setting and maintaining best practices and requirements for CAs and the certificates they issue. Longer certificate validity periods can delay widespread compliance with new guidelines since changes wouldn’t go fully into effect until all existing (issued before the update) certificates expired. Decreasing the maximum lifetime of certificates from 3 years to 2 years, helps reduce the presence of older, outdated and possibly vulnerable certificates, that were issued before new guidelines were put in place.
For example, back when SHA1 deprecation was first announced, the maximum validity period was 5 years (for DV and OV). This lead to challenges in the migration to SHA256 because there was this gray area of long-life certificates that had been issued with SHA1 and could potentially remain in use for years with an outdated algorithm. Shorter validity periods will shrink these gray areas after future guidelines are released and decrease the amount of time it takes for all active certificates to comply with a specified policy.
HOW DOES THIS AFFECT SYSTEM AND WEB ADMINISTRATORS?
For starters, the new rule only applies to certificates issued after March 1st, 2018. This change does not affect current certificates, so don’t panic thinking you need to replace any existing certificates that were issued with a 3-year validity period. That said, if you currently use 3-year certificates and have your administration based on a 3-year renewal cycle, you should start thinking ahead on how to adjust to more frequent renewals.
If you have questions about the 2-year validity maximum or SSL/TLS best practices in general? Just contact us. We’re happy to help.
FAQ DEPRECATION OF 3-YEAR SSL CERTIFICATES
Why will TRUSTZONE stop issuing 3-year certificates?
This is an industry-wide directive which affects all certificate authorities. In accordance with the CA/Browser Forum Baseline Requirements, effective March 1st 2018, Certificate Authorities (CAs) will no longer be able to issue SSL certificates with a validity period longer than 27 months.
When will the 2-year maximum term limitation take effect?
March 1st, 2018, but we will comply with the new set of rules by February 26th, 2018.
Is TRUSTZONE the only certificate authority to stop issuing 3-year certificates?
No, the requirement applies to all CAs. If a certificate is issued after March 1st, 2018 with a validity period of greater than 27 months, then the issuing CA will be in breach of the requirements.
What if I already paid for a 3-year term? Does that purchase get honored?
Yes. If you purchased the certificate before March 1st 2018, then nothing will change. Your 3-year certificate will remain valid for its full lifetime. If you decide to replace this certificate after March 1st, 2018, or it comes up for renewal, then the new laws come into play.
Does the 2-year maximum term limitation apply to all certificate types (single domain, Wildcard, Extended Validation and SAN/multi-domain)?
Yes, it applies to all website certificate types. EV certificates have a maximum duration of 2 years anyway, so they are already compliant.
Does the limit apply to Code Signing certificates?
No, the limit does not apply to code signing or EV Code Signing certificates, which will retain a 3-year maximum validity period.
BASICS OF SSL
What is SSL?
SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and untampered. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers. Using an SSL certificate from a trusted CA (Certificate Authority) ensures that browsers and devices connecting to your services accepts the certificate seamlessly. The CA is listed in the root store, which is a database of approved CAs that come pre-installed with the browser or device. Read here how to choose the right SSL certificate. Or read more about what is SSL certificates here.
Why do I need SSL?
This is important because the information you send on the internet is passed from computer to computer to get to the destination server. Any computer in between you and the server can “listen in” and see your credit card numbers, usernames and passwords, and other sensitive information if it is not encrypted with an SSL certificate.
Your customers may not trust your website without an SSL certificate. According to Gartner Research, nearly 70 percent of online shoppers have terminated an online order because they did not “trust” the transaction. In those cases, 64 percent indicated that the presence of a trust mark would have likely prevented the termination.
An SSL certificate – preferably an Extended Validation SSL certificate – and a Site Seal will inspire customer confidence and secure your transactions and thus your business.
How do website visitors know if a website is using SSL?
When a browser connects to a secure site it retrieves the site’s SSL certificate and checks that it has not expired, that it has been issued by a Certificate Authority the browser trusts and that it is being used by the website for which it has been issued. If it fails on any one of these checks the browser will display a warning to the end user. If it succeeds, several security indicators are built into modern browsers to indicate that SSL is enabled. The beginning of the URL or web address changes from http:// to https://, a padlock on the browser window changes from open to closed, and the address bar will turn green and display the name of the website owner when connecting to a website protected by an Extended Validation SSL certificate.
Do I have to own a business to get an SSL certificate?
No, you do not have to be a business owner to buy an SSL certificate. Anyone wishing to provide a confidential and secure link between a server and a browser can apply for a certificate.
What is EV SSL certificates?
‘Extended Validation Certificate’ is an enhancement to the standard SSL certificate that guaranties a higher level of security thanks to an extensive validation process.
If you visit an EV certified website, you will see a solid green bar in the browser’s address bar and the easily recognisable green padlock icon. The bar shows the name of the company who owns the website and this image is extremely difficult to copy or fake. The bar therefore works as a type of insurance, telling you that you are in fact on the right website and that you have not been the victim of a ‘phishing attack’.
What is phishing?
Phishing is a fraudulent attempt, usually made through email, to steal your personal information. The best way to protect yourself from phishing is to learn how to recognize a phish. Phishing emails usually appear to come from a well-known organization and ask for your personal information — such as credit card number, social security number, account number or password. Often times phishing attempts appear to come from sites, services and companies with which you do not even have an account. In order for Internet criminals to successfully “phish” your personal information, they must get you to go from an email to a website. A website with an certificate enabled will show you a true validation of the domain. You can trust this validation based on the high level of security check. If the website is trusted by no authority, you should not access the site. Phishing emails will almost always tell you to click a link that takes you to a site where your personal information is requested. Legitimate organizations would never request this information of you via email.
Let’s connect on LinkedIn and be updated on phishing and other relevant news for you.