SSL/TLS certificates lifespan reduced to 13 months
Since September, it is no longer possible to purchase an SSL/TLS certificate for more than 13 months. Why such a change?
With the development of the Internet, users can very often find themselves facing worrying situations. Scams, phishing, the list is long and the consequences are sometimes dramatic. To counter this insecurity feeling, certificates are provided. These SSL/TLS certificates are supposed to guarantee a secure connection.
Why “suppose”? Because today, their functioning is questioned. Especially regarding their duration which may seem, to some extent, too long.
What is an SSL / TLS certificate?
SSL/TLS certificates intend to guarantee secure connections and the security of the user’s data exchanged between two systems. If a site collects sensitive data (passwords, credit card numbers, etc.) it is rare not to see an SSL/TLS certificate attached. Thanks to the https and the padlock, the Internet user can easily identify whether his connection is secure or not.
The other advantage of these certificates is to be able to authenticate the identity of the receiver’s server. By clicking on the padlock, it is thus possible to add an additional verification. Certificates named EV (Extended Validation), allow you to see, among other things, the name of the company that holds the certificate.
There are many players involved in this security process. What is important to understand is that the very principle of these certificates is to offer a secure connection between the Internet user and the browser. So the most important players are the browsers themselves and the Certification Authority. The latter issues a certificate that it installs on a server, and the browsers check that this data is safe to display the distinctive signs (padlocks, https, etc.).
It is in light of this verification that some web giants, Google and Apple, in particular, have announced their decision to reduce the validity of SSL/TLS certificates to 13 months.
Why reduce the SSL/TLS certificates effectiveness?
This approach is not new. Indeed, for a few years now, the certificates have seen their lifespan reduced little by little. Before 2015, it was possible to obtain a certificate for a maximum duration of five years. In 2018, it is reduced to two years. So why continuing this decrease?
Two reasons seem to stand out.
Firstly, for safety reasons. Indeed, how can a browser guarantee the accuracy of the data of a certificate issued every five years? This information may no longer be up to date, and will only be detected as such at renewal time. The greater the interval between these checks, the greater the risk.
Secondly, this reduced validity time of SSL/TLS certificates brings advantages to a more technical aspect. Indeed, with longer certificate life spans, updates take more time. You have to wait until the certificates have all expired before you can make changes. A tedious process simplified by a shorter certificate lifespan.
What are the consequences for the user?
Concretely, this regulation only became effective last September. This means that if your certificate was acquired before this date, its validity period will remain the same until its expiry date. After that, you will only be able to obtain certificates for a maximum period of 13 months.
At Netim, we offer two types of certificates:
- Let’s Encrypt, included for free with all our hosting offers
- The Sectigo, from €12 excl. tax / year and including a financial guarantee
What is the difference between these two offers?
Let’s Encrypt certificates are automatically renewed every 90 days by our robots. They guarantee the reliability of the information transmitted. However, as they are delivered free of charge, they are not providing any assurance to the holder.
Conversely, Sectigo certificates are issued for a period of one year. Their purpose is to provide holders with additional security. Why this security? To enable certificate holders to be protected in the event of a loophole in the data protection system, e.g. transaction security, etc.
Towards a safer internet environment?
It goes without saying that these changes are intended to make the digital space in which we are evolving a little more secure. As such, they are therefore widely accepted by the general population. Especially since it is now possible to automate a large part of the renewal process, etc.
Nevertheless, if the purpose is to promote sites considered reliable, one may wonder why EV and DV certificates are no longer distinguished graphically. Indeed, the type of certificate is far from being identical between a DV (domain validation) for which one simply verifies that the owner of the certificate has access to the domain. And EV (extended validation) for which much more data is collected (company name, verified identity, etc.).