Apple has unveiled a new policy, which will go into effect later this year, that will prevent its Safari browser from accepting new HTTPS certificates that expire more than 13 months after their creation date.
As a result of the new policy, any website using long-life SSL/TLS certificates issued after the cut-off point will lead to privacy errors being displayed in the iPhone maker’s browser.
Apple debuted the new policy at a recent Certification Authority Browser Forum (CA/Browser) meeting in Slovakia. According to people who attended the meeting, from September 1st any new website certificate valid for more than 398 days will not be trusted by Safari and will be rejected. However, older certificates issued before this deadline, will not be affected by this new rule.
Since Apple has made the decision to implement this new policy in Safari, the company will effectively have to enforce it on all devices running either iOS or macOS. This means that developers and website administrators will be forced to ensure that their certificates meet Apple’s requirements or they’ll risk losing many visitors to their sites.
One-year TLS certificates
Apple, Google and other members of CA/Browser have considered cutting certificate lifetimes for months but the policy comes with benefits as well as drawbacks.
The main goal of the policy is to help improve website security by ensuring that developers use certificates with the latest cryptographic standards while also reducing the number of old certificates that could potentially be stolen and re-used by cybercriminals launching phishing campaigns or malware attacks.
By increasing the frequency of certificate replacements, Apple will be making life more difficult for site owners as well as businesses that have to manage these certificates and compliance.
While Apple has yet to make a public announcement regarding its new policy, Digicert’s Dean Coclin provided more details on how the policy will affect certificate users in a memo, saying:
“What does this mean for certificate users? For your website to be trusted by Safari, you will no longer be able to issue publicly trusted TLS certificates with validities longer than 398 days after Aug. 30, 2020. Any certificates issued before Sept. 1, 2020 will still be valid, regardless of the validity period (up to 825 days). Certificates that are not publicly trusted can still be recognized, up to a maximum validity of 825 days.”
Via The Register