Sometime in the next few months, Google will announce a deadline for the public Internet to begin using 90-day SSL/TLS certificates. It will likely be sometime in 2024. It probably won’t go over well.
There was a time, a decade ago, when SSL/TLS certificates could stay valid for up to five years. Unfortunately, that laid bare an inconvenient reality: the longer a certificate stays valid, the less reliable and secure it is—or, to put it another way, the chances it can be misused grow with each day.
What is an SSL/TLS Certificate?
(Image courtesy of GlobalSign)
SSL/TLS certificates are cryptographic files that get installed on web servers to facilitate connection security (via HTTPS) and server/organization authentication for the website that they’ve been issued for.
Browsers consume these certificates. When you arrive at a website, your web browser automatically downloads the certificate, verifies that a certificate authority (CA) can trust the certificate, and then connects securely.
A certificate’s trustworthiness is central to the very premise of web security. Browsers need to be able to rely on this information so that they can make the right trust decisions and keep their users safe.
So, logically, the longer you go until the next time you verify that information, the greater the risk is that it becomes outdated or unreliable. Think about how much can happen in five years. (Do you still trust all information from 2018?) Businesses come and go, change names, evolve, merge, etc.
With that in mind, browser companies have continually pushed for short certificate validity—so that identity information needs to be validated more frequently. The time period for certificate validity has shrunk from five years down to one year over the past decade. It will eventually shrink to 90 days after Google collects feedback from CAs (and their customers) and formalizes its plan.
Considering Verification
While it seems arduous to have to replace SSL/TLS certificates on every website every 90 days, there are a few things to consider.
There are two types of identity verification when it comes to SSL/TLS. First, there’s domain validation, which is the most basic. Domain validation confirms that the entity has control over its web domain; it is standard with all types of SSL/TLS certificates.
Then there is organization verification, which is what you see in Organization Validation (OV) and Extended Validation (EV) certificates. Organization verification involves a CA vetting team confirming that an organization is a valid, legal entity. This verification still only needs to occur once per year, as it has since 2021.
Organizations will now need to demonstrate domain control once every 90 days, however, and issue a new certificate.
In effect, 90-day certificates mean that the workload involved in managing SSL/TLS will quadruple. That might seem negligible if you’re a smaller organization that only handles one or two public-facing websites. At scale, it could be a nightmare for large organizations and enterprises. Managing it all in a spreadsheet, as some companies continue to do, won’t cut it anymore.
Perspective Shift
Consider that (1) the shift to 90-day certificates is being proposed by Google and (2) Google Chrome has a share of 65.74% of the browser market. How many times has a market leader made a groundbreaking move that hasn’t put pressure on the rest of the market to follow suit? While Google might currently be the only browser with the proposal, you can bet that Apple, Mozilla, and Microsoft are having similar internal discussions.
This upcoming shift will potentially require more SSL/TLS certificates than most IT teams can currently handle. To adapt to this and other future changes in the browser industry, organizations should look to automation.
Automation has long been pushed in recurring discussions within the CA/Browser Forum, where industry standards are codified. Google’s representatives in particular have spent years beating the drum for automating SSL/TLS in forum discussions. More recently, in March 2023, Google addressed the need for automation in a Chromium blog post.
In some ways, this 90-day mandate may be akin to Google just ripping that Band-Aid off.
Fortunately, automation solutions have improved by leaps and bounds over the past several years. The Internet Security Research Group (ISRG) originated the Automated Certificate Management Environment (ACME) protocol for use with its free 90-day CA. The Internet Engineering Task Force (IETF) has since standardized the ACME protocol; the protocol is now in version 2 and is supported by most CAs (both commercial and non-commercial). ACME uses cross-platform agents installed on web servers to pass domain-validation checks, then issues and installs certificates for those domains.
The prospect of automation as a solution may be met with some hesitation. But at its core, automation improves security posture by removing the human element (including—let’s be nice here—the potential for human error). It can also remove the requirement for spreadsheets, saving IT’s time and consequently improving efficiency.
Moreover, we should have plenty of runway before these changes go into effect. Based on precedents set by previous validity reductions, it would be reasonable to guess sometime in mid- to late 2024 for an enforcement date.
In the meantime, keep this subject on your radar because it will impact everyone.