SSL certificates Archives - Page 2 of 2 - Cybersecurity, intellectual property and domain names news

Soon a maximum duration of one year for SSL certificates?

Soon a maximum duration of one year for SSL/TLS certificates?

What is happening?

The industry actors plan to reduce the lifetime of SSL/TLS certificates, allowing the HTTPS display in browsers, to 13 months, i.e. almost half of the present lifetime of 27 months, in order to improve security.

Google through the CA/Browser Forum has indeed proposed this modification, approved by Apple and a Certification Authority, making it eligible to vote. During the next CA/B Forum meetings, if the vote is accepted, the modification of the requirements will come into effect in March 2020. Any certificate issued after the entry into force date will have to respect the requirements of the shortened validity period.

The aim for this reduction is to complicate things for cyber attackers by reducing the duration of the use of the potentially stolen certificates. It could also force companies to use the most recent and the most secured available encrypting algorithms.

If the vote fails, it’s not to be excluded that browsers supporting this requirement, unilaterally implement it in their root program, thus forcing the change to the Certification Authorities. It’s likely that this could be the case, this change follows Google’s precedent initiative that aimed to reduce the lifespan from three years to two years in 2018, period during which Google already wished to reduce it to 13 months or even less.

Who is impacted?

The changes proposed by Google would have an impact on all the users of TLS certificates of public trust, regardless of the Certification Authority that issued the certificate. If the vote passes, all certificates issued or reissued after March 2020 will have a maximum validity of 13 months. The companies using certificates with a validity period superior to 13 months will be encouraged to reconsider their systems and evaluate the impact of the proposed modifications on their implementation and their use.

The TLS certificates issued before March 2020 with a validity period superior to 13 months will stay operational. The public non-TLS certificate, for the code signing, the TLS private code and clients’ certificates, etc. are not concerned. It will not be necessary to revoke an existing certificate following the implementation of the new standard. The reduction will have to be applied during the renewal.

What do the market players think about this?

It would be a global change for the industry with impacts on all the Certification Authorities. They view this proposition in a negative light. We can see an economic interest above all, but not solely…

The main argument is that the market is not ready in terms of automation system of orders and certificates implementations. Indeed, there would be more human interventions with the risks associated with poor handling, or simply a higher risk of forgetting a certificate renewal.

For Certification Authorities, reducing the certificates’ lifespan to such a short term mainly presents an increase of the human costs related to the certificate portfolio management. If they are not fundamentally against this decision, they would particularly like more time to study what users and companies think.

The position of browsers makers

Be it Google or Mozilla, the spearheads of the native HTTPS massive adoption for all websites and the supporters of the Let’sEncrypt initiative, what is important is the encrypting of all web traffic. A reduction of the certificates lifespan reduces the risk of certificates theft on a long period and encourages the massive adoption of automated management systems. For these two actors, an ideal world would have certificate of maximum 3 months. If they are attentive to the market as to not impose their views too quickly, it is more than likely that in the long term the certificates’ lifespan will continue to decrease.

Nameshield’s opinion

The market continues its evolution towards shorter and shorter certificates’ validity, as a continual decrease of the authentication levels and consequently a need for management automated solutions that will increase. We will align on these requirements and advise our customers to prepare themselves for this reduction which will, without a doubt, arrive. Our Certification Authorities partners will also follow this evolution and will allow to provide all systems of required permanent inventory and automation.

To be heard

The CA/Browser Forum accepts comments of external participants and all discussions are public. You can directly enter your comments to the Forum distribution list: https://cabforum.org/working-groups/ (at the bottom of the page). Nameshield is in contact with CA/Browser Forum participants and will inform you of the future decisions.

The Nameshield SSL interface has had a complete makeover

More user-friendly, more comprehensive, more attractive… our brand new and improved Nameshield SSL interface is being launched on Thursday, June 13th allowing you to manage all of your certificates.

You will now have access to key metrics on your certificate portfolio, to different certificate lookup views (such as complete portfolio, detailed overview, certificates nearing expiry, pending orders, expired or revoked certificates), to an Organization and Contact management tool and a redesigned ordering system.

Lastly, a decision support tool has been included in the interface to help you choose the certificate that’s right for your needs.

The certificate range has been updated to cover all types of certificates, SSL, RGS, Code Signing, Individual certificates and with all levels of authentication.

The SSL team remains at your disposal for a demonstration and a complete user guide is available covering all possible operations and actions.

GDPR – What is the impact on your SSL certificates?

The European Data Protection Regulation (GDPR) came into effect on 25th May and its impact on the management of your SSL certificates portfolio is not neutral.

All Certification Authorities have previously always relied on the WHOIS of the domain name that needs to be certified in order to validate that the certificate applicant has the domain name technical operator’s agreement.

In order to validate an order, one of the authentication steps involved sending an email to one of the email addresses (admin or technical) found on the WHOIS.

However, the GDPR has left its mark and registrars no longer have the right to provide domain name owner personal data without the owner’s explicit consent. This means that the WHOIS database is unusable in terms of Certification Authorities being able to send out validation emails.

Faced with this situation, the Certification Authorities propose sending domain validation emails to one of the following generic addresses by default:

admin@domain.com
administrator@domain.com
postmaster@domain.com
webmaster@domain.com
hostmaster@domain.com

What if none of these addresses exist or is it too complicated to create?

There is an alternative solution. The Certification Authorities are able to validate that you have the domain name technical operator’s agreement through TXT record verification in the DNS zone of the domain name to be certified.

By verifying the presence of this TXT record, the Certification Authority is able to:

issue the certificate if it is a simple DV certificate (Domain validation)
continue to the next authentication steps if it is an OV (Organization Validation) or EV (Extended Validation) certificate.

Even with this in mind, the GDPR is changing the game and is having a significant impact on the SSL industry.
If the generic email validation method is not possible and we have to use TXT record verification method then we will indeed see an increase in certificate processing times.

What are the benefits of using Nameshield to manage your SSL certificates portfolio?

As a Registrar, Nameshield offers a unique market advantage for its SSL clients.
Nameshield carries out a pre-authentication process before each order reaches the Certificate Authority. This makes it possible to anticipate any blocking factors and if necessary to act quickly to resolve them:

Modification of a WHOIS
Edition of the zone to set up a TXT record (if the DNS are those of Nameshield)
Creation of alias admin @, administrator @, webmaster @, postmaster @, hostmaster @ (if the MX are those of Nameshield)

If you have any questions, please do not hesitate to call our dedicated SSL service.

SSL certificates reduction to 2 years maximum

The CAB forum, organization which defines the SSL certificates issuing and management rules approved the SSL certificates reduction to a duration of 2 years against 3 previously. Initiated by the browsers Chrome and Mozilla heading, this decision moves in the direction of an always more secured Internet by forcing the actors to renew more often their security keys and to stay on the last standards of the market.

This decision will be applicable to all Certification Authorities from March 1^st 2018. In order to ensure a smooth transition, from February 1^st 2018, Nameshield will not propose certificates with a 3 years duration anymore.

What impact for your certificates?

The new certificates will thus have a maximum duration of 825 days (2 years and 3 months to cover the possibility of 90 days early renewal). EV certificates were already under this scenario, so are concerned the DV and OV certificates in all their forms (standard, multi-sites or wildcard). Nothing in particular for these certificates.

For existing certificates, this new duration will have a consequence, since it will apply to all the certificates from March 1^st. A 3 years certificate issued recently and which would need to be replaced beyond the 825 days deadline, will then have to be authenticated again. It is then important to know it to prevent urgent reissue, including for the simple SAN adding. You have to check beforehand if the certificate to replace may be impacted, this is the case of DV and OV certificates, the EV are also not concerned here.

Nameshield’s SSL team will inform you regarding the concerned certificates.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_25904574_14	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
ppwp_wp_session	30 minutes	No description
visit	30 minutes	No description