Web body mulls halving HTTPS cert lifetimes. That screaming in the distance is HTTPS cert sellers fearing orgs will bail for Let's Encrypt

CA/Browser Forum – an industry body of web browser makers, software developers, and security certificate issuers – is considering slashing the lifetime of HTTPS certs from 27 months to 13 months.

The plan, floated at a meeting by Googler Ryan Sleevi earlier this year and still in its draft stages, comes just one year after the lifetime maximum for certificates was lowered from 39 months to 27 months. There is no word yet on when a vote may take place.

HTTPS certificates are, essentially, used to encrypt connections between browsers and sites, and help software determine that no one is tampering with or eavesdropping on those connections.

By reducing the amount of time a TLS/SSL certificate is valid, websites must renew their certs more often. This will, it is hoped, force them to use certificates with the latest and greatest recommended cryptography and hashing, rather than hang onto aging certs that use insecure algorithms. The short lifespan could also, in theory, help to cut down on fraudulent activity, as stolen certs would become useless sooner, and abandoned sites would see their certs expire faster.

This is not the first time such a plan has been floated. Back in 2017, the CA/Browser Forum voted down a proposal that would have sought cut the certificate lifespans from 39 months to 13 months.

In the background to all this, Let's Encrypt is continuing to enjoy a meteoric rise: it issues free 90-day HTTPS certs that can be automatically renewed and deployed using a provided software client. Let's Encrypt TLS/SSL certificates are supported by pretty much all browsers and operating systems, and the service is putting immense pressure on certificate floggers that charge people for HTTPS certs.

Google to bury indicator for Extended Validation certs in Chrome because users barely took notice

READ MORE

Digicert's Timothy Hollebeek is among those who oppose the move to cut the lifetime of certs to 13 months. He argued on Monday this week that the perceived benefits of shorter certificate lifetimes will be offset by the added costs and headaches companies would encounter by having to renew their paid-for certificates roughly once a year.

In other words, slashing the lifetime may drive organizations into using Let's Encrypt for free, rather than encourage them to cough up payment more regularly to outfits like Digicert. Digicert and its ilk charge, typically, hundreds of dollars for their certs: forcing customers to fork out more often may be more of a turn off than a money spinner.

"Rapidly reducing certificate lifetimes to one year, or even less, has significant costs to many companies which rely on digital certificates to protect their systems," Hollebeek said. "These costs are not offset by any significant security improvement, and these changes have no impact on bad actors who are engaged in illegal activity or impersonating legitimate companies."

Hollebeek also called into question the security benefits of the shorter lifespan, suggesting there are better ways to make sure certificates are current and safe.

"We believe the goal of improving certificate security is better served by allowing more time for companies to continue their growing use of automation, to test their systems and to prepare for these changes," Hollebeek writes. "The primary point is that any benefit of reducing certificate lifetimes is theoretical, while the risks and costs to make the changes, especially in a short period of time, are real." ®