View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 3, 2020

TLS Certificates Cut to One Year From This Month: What You Need to Know

"It's about making sure that, if a certificate gets into someone else's hands, it's not in someone else's hands for five years"

By claudia glover

As of the first of September companies cannot buy a TLS certificate that lasts for longer than 398 days in a move designed to protect users from compromised certificates.

The certificates were initially designed to last for five years, which was subsequently reduced to two. The latest change was announced by Apple in March.

“Keys valid for longer than one year have greater exposure to compromise” explained a spokesperson for Mozilla in a blog post.

“A compromised key could enable an attacker to intercept secure communications or impersonate a website till the TLS certificate expires.”

You’ve Got the Whole Certificate in Your Hands

“It’s not so much to say the security is broken,” Alyn Hockey,  VP of product management at security company Clearswift, explained to Computer Business Review.

“It’s just there are some applications that won’t communicate with servers if the certificate no longer validates”.

Don’t Leave Before You’ve Read This: Verizon Accelerates its Edge Strategy with the Launch of its 5G Mobile Edge Compute with AWS Wavelength

Hockey went on to outline why the shift to year-long licences has taken place:

Content from our partners
Why all businesses must democratise data analytics
Unlocking the value of artificial intelligence and machine learning
Behind the priorities of tech and cybersecurity leaders

“It’s about making sure that, if a certificate gets into someone else’s hands, it’s not in someone else’s hands for five years.

“Just being able to work with others rather than having old things lying around, which may or may not get reused or repurposed and could potentially lead to a vulnerability or an exploitation.”

What Your Business Needs to Know

Failing to renew a TLS certificate can result in a man-in-the-middle attack, possibly leading to sensitive information being exposed to a malicious third party.

To make sure that your business doesn’t suffer from any fallout from a TLS failure, make sure that all certificates are up to date, particularly if you have just bought a new company with new domain names. A shorter licencing time should help to combat this.

Recent high profile cases of expired or compromised TLS certificates causing havoc include LinkedIn’s outage in May 2019, where users were warned that logins may not be secure after the company let an SSL certificate expire.

Read More About This Here: LinkedIn Lets SSL Certs Lapse (Again)

Earlier in 2018, tens of millions of mobile customers using O2 and Softbank were prevented from using telco services due to what eventually turned out to be a certificate outage.

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED

THANK YOU