Apple Goes Rogue, Drops Unilateral TLS Certificate Guillotine

Safari will no longer trust TLS certificates that last longer than 13 months. Yes, you read that right. IT and DevOps are spitting blood.

Are they serious? Which standards committee agreed to that?

Nobody agreed to it. Apple just went rogue. In today’s SB Blogwatch, we can’t find anyone who thinks this is a good idea.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: trolling 419’ers.

Vitriol in 3 … 2 … 1 …

What’s the craic? Shaun Nichols reports—“Apple drops a bomb on long-life HTTPS certificates”:

 Websites using long-life SSL/TLS certs issued after the cut-off point will throw up privacy errors in Apple’s browser. … From September 1, any new website cert valid for more than 398 days will not be trusted by the Safari browser.

This will put pressure on … admins and developers to make sure their certs meet Apple’s requirements – or risk breaking pages on a billion-plus devices. [But] the policy has its benefits and drawbacks.

The aim … is to improve website security by making sure devs use certs with the latest cryptographic standards, and to reduce the number of old, neglected certificates that could potentially be stolen. [But it] also makes life a little more complicated for site owners and businesses that have to manage … compliance.

Apple declined to comment.

And John E Dunn adds—“Apple chops Safari’s TLS certificate validity down”:

 Barely noticed by web users, the life expectancy of SSL/TLS certificates has lowered dramatically over the last decade. … Just over a decade ago domain registrars were selling SSL/TLS certificates that were valid for between 8 and 10 years.

In 2011, a new body called the Certification Authority Browser Forum (CA/Browser Forum), which included all the big browser makers, decided this was too long and imposed a limit of five years. Then, in 2015 the time limit was dropped to three years, followed by a further drop in 2018 to only two years.

The latest answer is one year, or 398 days including the renewal grace period. … It’s a bold move that presumably prefigures similar announcements by other big browser makers, especially Google.

Apple has decided to enforce the change unilaterally, apparently against the wishes of the Certificate Authorities (CAs) which issue certificates as a business. … In theory, CAs should be in favour of reduced certificate validity because it’s good for business – [it] should mean more frequent fees from … renewals. In the real world, it’s a lot more complicated.

Who broke the story? Casey Crane—“Certificate Validity Will Be Limited to One Year by Apple’s Safari”:

 Apple announced their unilateral decision at a face-to-face meeting of the CA/Browser Forum. … So, what exactly has transpired here? And, more importantly, what does this all mean?

Last year, Google … introduced a ballot at the CA/B Forum that pushed for a maximum one-year validity. [It] ultimately failed, but it looks like Apple has picked up where Google left off.

It was only a matter of time.

But SirAstral swearily disapproves:

 This is bull****. … This is just a ****ing gimmick to increase revenue.

The correct solution for when a cert becomes compromised should be Revocation, but naturally this infrastructure was built like **** so it is not very reliable. As long as a Cert is not Revoked it should be considered as good. A cert’s validity period only serves as the same bull**** security theater logic that requires people to change their password periodically.

Although Jamie Jones can see the good behind this:

 I … can see the good behind this, but I’m concerned that this is basically being forced on everyone due to Apple’s whim. … Couldn’t they at least pretend to get it to go through a standardisation process like Google does?

What about unintended consequences? Heed sphealey’s metaphor:

 What is that supposed to achieve? Renewing and installing a certificate is itself a high-risk activity, and demanding it be done more often is likely to lead to more failures of the trust chain.

I’m reminded of the Gateway Arch National Park that was changing the elevator cables that run up the leg of the Arch every 5 years; when one of them broke (fortunately no one was hurt) the elevator cable company’s response was basically, “You idiots, those are designed to last 50 years. Stop messing with them.”

What are other browsers doing? big_D reminds us:

 And don’t forget that Google and Firefox are dropping Extended Validation certs in Chrome (you know, the ones where the cert authority actually check out the applicant in the real world, to ensure they are who they say they are). It is making a mockery of the whole process.

And ufgrat drops a bomb:

 My enterprise defaults to two year certs, and ever since the SHA-1 debacle, we’ve been trying to space them out so they aren’t all expired the same week. We’ve literally got hundreds of them.

If hate can be weaponized, expect the Apple campus to spontaneously explode one day.

What, Michael Wojcik worry?

 Personally, I’m not concerned if Safari rejects my certificates. Safari can **** right off.

Meanwhile, Retired ICS imagines the other shoe, and how it’ll drop:

 And in tomorrow’s news … Apple buys a Certificate Authority so it can cash in on the movement towards “short term” Certificates.

“There’s Gold in them thar Certificates,” Tim Cook announced, “because now people will pay the same price as they used to in order to buy a [huge] integer good for only one year, whereas in the old days, a [huge] integer was good for three years. Apple is moving to take advantage of this new trend in the [huge] integer marketplace.”

And Finally:

Trolling 419’ers

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Petras Gagilas (cc:by-sa)

Richi Jennings

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 605 posts and counting.See all posts by richi