Apple has announced that Safari will soon start rejecting HTTPS certificates that are older than 13 months. Safari is Apple’s default internet browser for the macOS, iOS, and iPadOS, and its market share percentage is estimated to be between 3% and 18%, so this change is going to affect many people. This means that when these people try to visit a website that is using an HTTPS certificate signed 398 days before or more, they will get a privacy warning. If the user accepts the risks, they will be able to proceed to the website after declaring it.
HTTPS/SSL certificates are meant to validate that a website is safe to visit. They are issued by a number of trusty certificate signing authorities, and they are reviewed and accepted by the browsers when the user is trying to reach a certified website. They are basically small snippets of code containing a cryptographic key for encrypted communications. Moreover, they bind together the identity of the server hosting the website and the user’s computer (authentication), and have a unique serial number so that they can’t be spoofed or used elsewhere. Before 2017, certificates were good for a period of five years. After 2017, the maximum expiration date was reduced to two years. When a certificate expires, users cannot trust the website anymore as they have no way to determine its authenticity.
Apple thinks that this is way too long for security, as cryptographic standards receive important updates every year now. This means that using anything that has been signed over a year ago, may not be absolutely secure. Moreover, older certificates often get neglected, and malware actors grab the opportunity to steal and use them for the certification of phishing and malware websites. While shortening their lifespan sounds like a good proactive security measure, it comes with an additional cost for site owners and companies. Shortening their lifecycle to roughly a year simply creates an additional financial and management burden, as well as a risk of error when the time to renew comes.
Some entities are already using certificates that are only valid for a year, while free of charge HTTPS certificates signed by “Let’s Encrypt” only last for 90 days. However, big platforms like the GitHub.com and Microsoft.com are using two-year certificates, meaning that they could soon be treated as unsafe by Safari, confusing visitors and causing disruption to these websites. Safari has a large enough userbase to bring major changes in the field, but it will be interesting to see if Chrome and/or Firefox are planning to embrace this approach or not.