As of the first of September companies cannot buy a TLS certificate that lasts for longer than 398 days in a move designed to protect users from compromised certificates.
The certificates were initially designed to last for five years, which was subsequently reduced to two. The latest change was announced by Apple in March.
“Keys valid for longer than one year have greater exposure to compromise” explained a spokesperson for Mozilla in a blog post.
“A compromised key could enable an attacker to intercept secure communications or impersonate a website till the TLS certificate expires.”
You’ve Got the Whole Certificate in Your Hands
“It’s not so much to say the security is broken,” Alyn Hockey, VP of product management at security company Clearswift, explained to Computer Business Review.
“It’s just there are some applications that won’t communicate with servers if the certificate no longer validates”.
Hockey went on to outline why the shift to year-long licences has taken place:
“It’s about making sure that, if a certificate gets into someone else’s hands, it’s not in someone else’s hands for five years.
“Just being able to work with others rather than having old things lying around, which may or may not get reused or repurposed and could potentially lead to a vulnerability or an exploitation.”
What Your Business Needs to Know
Failing to renew a TLS certificate can result in a man-in-the-middle attack, possibly leading to sensitive information being exposed to a malicious third party.
To make sure that your business doesn’t suffer from any fallout from a TLS failure, make sure that all certificates are up to date, particularly if you have just bought a new company with new domain names. A shorter licencing time should help to combat this.
Recent high profile cases of expired or compromised TLS certificates causing havoc include LinkedIn’s outage in May 2019, where users were warned that logins may not be secure after the company let an SSL certificate expire.
Earlier in 2018, tens of millions of mobile customers using O2 and Softbank were prevented from using telco services due to what eventually turned out to be a certificate outage.
This article is from the CBROnline archive: some formatting and images may not be present.