Appleās Safari browser to reject new security certificates valid for longer than 13 months
It was announced this week that Safari will, from Autumn this year, no longer accept new HTTPS certificates that expire more than 13 months from their creation date. That means websites using multi-year SSL/TLS certs issued after the cut-off point will throw up privacy errors in Apple's browser.
What this means is that from the 1st of September 2020 any new website cert valid for longer than 398 days will not be trusted by the Safari browser. However, older certificates issued prior to that date will still be able to maintain the standard 825 day deadline.
By implementing the policy in Safari, Apple will, by extension, enforce it on all iOS devices as well as Safari on macOS. This will put pressure on website admins and developers to make sure that their SSL certificates meet the Apple requirements, or risk breaking pages on an estimated billion-plus devices.
Why are Apple enforcing this change?
The aim of the move is to improve website security, by making sure developers use certificates with the latest cryptography standards, and to reduce the number of old, neglected certificates that could potentially be stolen and re-used for phishing and malware attacks. If boffins or miscreants were able to break the cryptography in a SSL/TLS standard, short-lived certificates would ensure people migrate to more secure certs within a year.
Shortening the lifespan of certificates does come with some drawbacks, however. By increasing the frequency of certificate replacements, Apple and others are also making life a little more complicated for site owners and businesses that have to manage the certificates and compliance.
What does this mean for your website?
In the immediate short term this doesn’t mean you need to do anything. Moving forward it means:
- If you buy a certificate valid for longer than 13 months and this is implemented on your site before the 1st September 2020, then your site won’t be penalised by Apple / Safari
- From the 1st September 2020 onwards you should only buy certificates to cover 13 months / 398 days or less
The reality is that this decision means that sellers of certificates will no longer offer longer duration security certificates from September onwards in most cases.
If you’ve got any concerns regarding the SSL on your site then give us a call to talk your options through on 0118 931 4196 or email us via hello@3chillies.co.uk