Let’s Encrypt, a free, automated, and open certificate signing authority (CA) from the nonprofit Internet Security Research Group (ISRG), has said it’s issued a billion certificates since its launch in 2015.
HTTPS, the default means of secure communication on the internet, comes with three benefits: authentication, integrity, and encryption. It allows HTTP requests to be transmitted over a secure encrypted channel, thus protecting users from an array of malicious activities, including site forgery and content manipulation.
“Since 2017, browsers have started requiring HTTPS for more features, and they’ve greatly improved the ways in which they communicate to their users about the risks of not using HTTPS,” the company said. “When websites put their users at risk by not using HTTPS, major browsers now show stronger warnings. Many sites have responded by deploying HTTPS.”
Launched with the goal of speeding up the web’s encryption rate and bringing down the costs of enabling HTTPS, Let’s Encrypt’s ACME (Automatic Certificate Management Environment) protocol offers an easy means to set up and issue SSL certificates that can be renewed and replaced without manual intervention from webmasters.
Electronic Frontier Foundation’s Certbot is one such popular open-source, free-to-use ACME client that enables HTTPS on websites by automatically deploying Let’s Encrypt certificates — which are valid only for 90 days — and managing renewals.
But with bad actors abusing Let’s Encrypt HTTPS certificates to mask malicious traffic and direct unsuspecting users to malicious sites, the company has taken steps to “ensure that a certificate applicant actually controls the domain they want a certificate for.”
Apple Takes a Significant Step Forward
But that’s not all. Apple has managed to do what most CAs were hesitant to accomplish all this time: shorten the maximum validity of issued certificates to one year.
The tech giant recently announced that starting 1st September 2020, Safari will reject new HTTPS certificates that expire more than 13 months (or 398 days) from their creation date, effectively bringing down the maximum certificate lifetime from 825 days.
This follows a failed ballot held last September by CA/Browser Forum to reduce certificate lifetimes. Although Let’s Encrypt, certSIGN, Apple, Cisco, Google, Microsoft, Mozilla, and Opera voted in favor of the move, close to two-thirds of participating CAs rejected the idea.
Apple’s move to shorten the lifespan of HTTPS certificates means that CA’s like Let’s Encrypt and ACME clients such as Certbot will only become more valuable going forward, as it would force the website administrators to use a certificate issued for 1 year or less.
How Do Short-Lived Certificates Increase Security?
Capping certificate lifetimes improves website security, not least because it reduces the possibility of criminals stealing neglected certificates to mount phishing and malware attacks.
Secondly, mobile versions of Chrome and Firefox do not proactively check for certificate status, implying a website whose certificate has been revoked will still continue to load without giving any warning to the user.
This is for performance reasons as browsers will have to end up downloading certificate revocation lists (CRLs) that can be quite large in size, affecting page loads.
Aside from these techniques, the Firefox maker has also announced technical specifications for a new cryptographic protocol called “Delegated Credentials for TLS,” which “allows companies to take partial control over the process of signing new certificates for themselves—with a validity period of no longer than 7 days and without entirely relying on the certificate authority.”
It goes without saying that Apple’s decision to cut certificate lifetimes is a significant step forward for security. And if it helps proactively prevent users from connecting to compromised websites, it can only be a good thing.