Sysadmins rage over Apple's 'nightmarish' SSL/TLS cert lifespan cuts
Apple proposes reducing SSL/TLS certificate lifespans from 398 days to 45 days by 2027, aiming to enhance security, but system administrators are concerned about increased management workload and automation challenges.
Read original article
Apple has proposed a significant reduction in the lifespan of SSL/TLS security certificates, aiming to cut the maximum validity from 398 days to just 45 days by 2027. This proposal, which is set to be voted on by members of the Certification Authority Browser Forum, has sparked strong reactions from system administrators who express concerns over the increased workload associated with managing more frequent certificate renewals. The plan includes a phased approach, reducing the maximum lifespan to 200 days after September 2025, then to 100 days in 2026, and finally to 45 days by April 2027. Additionally, the proposal aims to shorten the domain control validation period to 10 days after September 2027. While shorter certificate lifespans are believed to enhance internet security by limiting the time for potential exploitation, sysadmins worry about the practical implications of managing numerous certificates with such short validity periods. Some have pointed out that automation may not be feasible for all systems, particularly those that require manual certificate management. The proposal follows similar moves by Google, which plans to reduce certificate lifespans in its Chrome browser to 90 days.
- Apple plans to reduce SSL/TLS certificate lifespans from 398 days to 45 days by 2027.
- The proposal is set for a vote among Certification Authority Browser Forum members.
- Shorter certificate lifespans are intended to improve internet security.
- System administrators express concerns over increased management workload.
- Automation may not be a viable solution for all systems requiring SSL certificates.
Related
Sustaining Digital Certificate Security – Entrust Certificate Distrust
Google's Chrome Security Team distrusts specific Entrust certificates due to reliability concerns. Chrome 127 onwards won't trust certain Entrust TLS server authentication certificates dated after October 31, 2024. Website operators should review certificates for compliance.
Telekom Security: Revocation delay for TLS certificates
Telekom Security experienced a delay in revoking TLS certificates, affecting 336 certificates due to basicConstraints not marked as critical. Efforts were made to prompt customers for replacement within 5 days. Lessons included the need for customer sensitization and faster certificate replacement procedures. Automation via protocols like ACME was considered for future processes. Stakeholders questioned the delay, but Telekom Security defended its decision based on low security risk and impact on critical infrastructures. The incident underscored challenges faced by CAs in ensuring timely revocation and the importance of continuous improvement for industry standards and trust.
Deutsche Telekom issued invalid certificates, hasn't revoked them since 6 months
Telekom Security faced delays in revoking TLS certificates, impacting critical infrastructures. Efforts were made to replace 336 certificates within 5 days, highlighting the need for faster procedures and customer sensitization. Mozilla raised concerns about the response, emphasizing the importance of compliance with industry standards.
Google calls for halting use of WHOIS for TLS domain verifications
Google proposed ending the use of WHOIS data for TLS certificate verification due to security vulnerabilities, suggesting a deadline of November 1, 2024, while some advocate for an extension to April 30, 2025.
Avoiding downtime: modern alternatives to outdated certificate pinning practices
Certificate pinning is becoming obsolete due to frequent certificate rotations causing outages. Modern practices like shorter lifetimes and enhanced monitoring improve security and reduce risks associated with legacy pinning.
9 commentsThank you SSL/TLS cert lifespan cuts for making this a reality.
Well done, everyone.
While yes there are lazy/incompetent sysadmins, there are also lazy/incompetent engineers, marketers, etc this is not a magic sysadmin only thing.
I suspect that in most of the places where their are sysadmins/IT depts in this situation, they've been trying to do something about this for years, while the management of the company has refused to provide the required support or funding for the work because it's not "necessary".
If you are unable to roll certificates within a few hours your systems are not set up properly, and you cannot respond appropriately to compromise. The problem with the constant push back of “oh it’s hard to manually perform a certificate update over our services” is fucking stupid and needs to stop. If you cannot roll your certificates regularly without a problem, then I sure as shit doubt you can update your systems in response to an actual urgent issue.
The problem is not onerous rules from Apple, the problem is you’ve spent decades complaining about it being too hard to do basic updates to your services and software, and then every time you get an extension to fix your broken ass systems you go “sweet” and don’t fix the fucking problem.
JFC the incompetence.
A very uncool thing to do when the application only gets updated about once a year. :(
Related
Sustaining Digital Certificate Security – Entrust Certificate Distrust
Google's Chrome Security Team distrusts specific Entrust certificates due to reliability concerns. Chrome 127 onwards won't trust certain Entrust TLS server authentication certificates dated after October 31, 2024. Website operators should review certificates for compliance.
Telekom Security: Revocation delay for TLS certificates
Telekom Security experienced a delay in revoking TLS certificates, affecting 336 certificates due to basicConstraints not marked as critical. Efforts were made to prompt customers for replacement within 5 days. Lessons included the need for customer sensitization and faster certificate replacement procedures. Automation via protocols like ACME was considered for future processes. Stakeholders questioned the delay, but Telekom Security defended its decision based on low security risk and impact on critical infrastructures. The incident underscored challenges faced by CAs in ensuring timely revocation and the importance of continuous improvement for industry standards and trust.
Deutsche Telekom issued invalid certificates, hasn't revoked them since 6 months
Telekom Security faced delays in revoking TLS certificates, impacting critical infrastructures. Efforts were made to replace 336 certificates within 5 days, highlighting the need for faster procedures and customer sensitization. Mozilla raised concerns about the response, emphasizing the importance of compliance with industry standards.
Google calls for halting use of WHOIS for TLS domain verifications
Google proposed ending the use of WHOIS data for TLS certificate verification due to security vulnerabilities, suggesting a deadline of November 1, 2024, while some advocate for an extension to April 30, 2025.
Avoiding downtime: modern alternatives to outdated certificate pinning practices
Certificate pinning is becoming obsolete due to frequent certificate rotations causing outages. Modern practices like shorter lifetimes and enhanced monitoring improve security and reduce risks associated with legacy pinning.