In our latest round-up of recent developments from the world of SSL/TLS, we examine Apple’s decision to limit its Safari browser to one-year cert validity and consider the best way to choose an SSL/TLS certificate according to DigiCert. We also look at the right way to do HTTPS and the steps US authorities are taking to secure .gov domains.
The following compilation of certificate developments provides a snapshot of an industry that’s in constant flux. Hackers never rest, and thus neither do the actions taken by companies to fortify their cyber defences to keep attackers at bay. Get comfortable as we run through the state of play in the SSL/TLS certificate landscape this summer.
One-year web browser certificates look set to become the norm after Apple imposed its will on the industry, paving the way for other players to follow suit. Certificate authorities have been forced to accept just 398 days for TLS certificates after Apple flexed its muscles, compelling Google Chrome and Firefox to fall into line. From September 1, browsers from these entities will display an error for sites whose certs display a lifespan of greater than 398 days.
TLS cert lifespans have long been a bone of contention in the industry, having started at eight years before gradually being whittled down. Last year, just 35% of CAs voted to impose a one-year lifespan on TLS certificates, but the minority have now won out thanks to Apple forcing through the change. While the move is controversial, it should at least deter bad behavior by rendering bad certificates invalid faster, effectively removing them from circulation.
How to choose the right type of SSL/TLS certificate
DigiCert has published its advice on choosing the appropriate type of SSL/TLS certificate for your needs. Its blog post explains the difference between the three main certificate types: Domain Validation (DV), Organization Validation (OV), and Extended Validation (EV). As DigiCert explains, “All three types of TLS/SSL certificates do fundamentally the same thing: encrypt information during TLS negotiations. However, beyond the [browser] padlock there are varying levels of security and risk.” It recommends:
- DV certificates should be used only where authentication is not a concern, such as protected internal systems.
- Organization Validation certificates, which require authenticating the business by submitting verification documents, should remain the default choice.
- Extended Validation certificates should be used when the highest level of authentication is required and it’s imperative to protect users and establish trust.
The full article contains loads of interesting tidbits about certificate types and their distinctions, some of which you may not be aware of, and is worth reading in full.
How to do HTTPS the right way
The CA Security Council has also been educating businesses on web security, publishing a guide on the best way to approach HTTPS. It explains the benefits of HTTPS, such as protecting sensitive information and aiding SEO, before issuing advice on correct server configuration to maximize the benefits of HTTPS. Its first recommendation? Partner with a trusted CA. It also advises businesses to scan their sites using a TLS tool that can identify weak or expired certificates.
US .Gov domains beefed up with preloaded HSTS
While the importance of strong certificates shouldn’t need reiterating, the US government has sent out a strong message about their value, preloading all .gov top-level domains with HSTS. This will prevent users from clicking through to the website if a certificate error is displayed, reducing the likelihood of phishing and spoofing. It will take some time until all existing .gov domains have HSTS protection, but it’s evident that this is the shape of web certification to come. Enterprises should take note and consider following suit if the nature of their business demands robust protection at browser level.
6 PKI indicators to monitor
To round off our coverage of SSL/TLS certificate developments in Q2, we turn to a blog post we recently authored on vital PKI indicators your business should be monitoring. These include checking the Signature Hash Algorithm, key strength, and certificate policy type. Check out the blog post to learn all six essentials you should be monitoring if you’re serious about securing your sites and protecting your customers. And if you’re looking to automate the PKI checking process, Keyhub by Remme has got you covered.