Industry stakeholders are considering reducing the lifespan of HTTPS certificates to just 13 months, around half of the current duration, in order to improve security.
The CA/Browser Forum proposal would seek to make the changes from March 2020. It comes after certificate lifetimes were reduced from 39 to 27 months back in March 2018.
Proponents argue that doing so would make it harder for the black hats, as it would reduce the length of time stolen certificates could be used for. It could also force companies to use the latest and most secure encryption algorithms available.
However, not everyone is on board: Digicert standards technical strategist, Timothy Hollebeek, argued that “it is far from clear” there’s any security benefit in reducing TLS/SSL certificate lifespans.
“This change has absolutely no effect on malicious websites, which operate for very short time periods, from a few days to a week or two at most. After that, the domain has been added to various blacklists, and the attacker moves on to a new domain and acquires new certificates,” he added.
“Another benefit that is sometimes suggested is that shorter lifetime certificates allow quicker transitions when the compliance rules change. Two-year certificate lifetimes mean that certificates that are issued today will still be around two years from now. But isn’t it the responsibility of those managing the certificate ecosystem to come up with compliance rules that can endure for at least that long?”
The changes would also significantly ramp up the costs for organizations, Hollebeek argued, although they could always use free services like Let’s Encrypt.
“We believe the goal of improving certificate security is better served by allowing more time for companies to continue their growing use of automation, to test their systems and to prepare for these changes,” he said. “The primary point is that any benefit of reducing certificate lifetimes is theoretical, while the risks and costs to make the changes, especially in a short period of time, are real.”