Browsers Will Soon No Longer Accept Older Certificates

Digital certificates are the mechanism used to convey the public keys and identities of algorithms essential to authenticating sites on the Internet. Since sites have changed to using TLS (identified with https: in the URL), every one of them needs a certificate. A change to the use of those certificates is in process and impacts site owners and may cause some annoyance for internet users.

different sized browser screens on devices

In the past, site owners requested certificates good for two years or so from the issuers. Requesting a certificate is not a difficult process, but it does take some time and requires payment to the issuer in most cases.

Why Make the Change?

This may seem like a petty issue, but there is a very good reason for this change if it isn't clear at first glance. Technology is changing at a frenetic pace, and encryption technologies are no exception. Attack mechanisms are changing, too. In the two to four year traditional lifetime of certificates, the keys could potentially be short enough for attackers to compromise the encryption. I don't think anyone expects that to happen in the near term; I certainly don't, but being prepared is always a good idea. History has borne that out.

The recommended lengths of the (RSA) keys has changed over the years. In the mid-2000s, it was 1024 bits and then moved to 2048 bits. That is way more than twice as difficult to compromise. However, even more importantly encryption algorithms are changing. These algorithms use much shorter keys (e.g. 256 bits) yet are more difficult to compromise than RSA keys of 3072 bits! Not all sites support all encryption protocols supported by TLS, and not all browsers do either. They negotiate the strongest ones they both support.

There are many other issues with website cryptography including hash functions (used primarily for integrity verification) and symmetric encryption algorithms (used for actually encrypting the data end-to-end) that are way too complex for a web post. The point is that recommendations change as technology improves and using certificates for a long time is probably no longer a good idea. We cover many of the issues of certificates in Learning Tree's introduction to cyber security, course 468.

The shorter lifetime for TLS makes it easier for standards groups to update recommendations for new algorithms and key lengths and have those recommendations implemented across the internet promptly. The shorter validity period was initially proposed a while ago, but not accepted. Apple unilaterally decided to reject certificates more than 398 days old if they were issued on or after September 1, 2020. The other major browsers are following Apple's lead.

This is not the first time certificate validity length has changed. The current maximum validity length of 825 days (just over two years) was established for March 1, 2018.

Will Users Be Impacted?

If all goes as planned, users are unlikely to be impacted. There is a chance that a site will use a certificate that exceeds the validity period and users will see a browser warning of some type, but I suspect any such sites will change their certificate promptly.

This is a good change. It allows security on the internet to be updated quickly. You and I are unlikely to notice, but that's a very good thing. Users should be able to use the web without having to think of such things.