Google has made it clear that they want to shorten the validity of SSL/TLS certificates to 90 days. While this is not confirmed as going ahead - or when - it's a topic that excites such rabid discussion in the tech sphere and beyond.
What’s it to you? Basically, the time to automate SSL/TLS certificates is now – no longer a want, already a need. Be careful, you’re running out of time.
A Brief History of SSL/TLS
Once upon a time, there was no standard for website security. In fact, there were no methods at all to protect the transmission of sensitive info online. There was simply nothing when the first SSL (Secure Sockets Layer) arrived in 1994 (and debuted in 1995), so imagine the reception to this huge leap in the infosec world.
Due to several upgrades, it’s been replaced with TLS (Transport Layer Security), complete with a name change to avoid potential legal issues. I see why people still call it the old name- it’s like being phenomenally popular as Mariah Carey, when your loyalists know to call you Mimi.
Let’s be honest, though, that SSL has not been updated since 1996- it is officially deprecated. At present, your organization must be using TLS, as SSL’s vulnerabilities (interception and tampering with encryption) pushed the world to do so. Sure, SSL is still in use today, but mostly in legacy systems.
What was an SSL Certificate?
It was SSL that encrypted data traffic as a protocol created to protect the flow of communication between browser and servers. SSL protected data, usernames, passwords, bank details, and other confidential info. With SSL, prevent dubious stuff like tampering and eavesdropping.
On top of data encryption, it was SSL that helped to build the online credibility of organizations. It signaled that a customer was on a legitimate website that they could trust, where they could buy safely.
What is a TLS Certificate?
Around the time that the movie Fight Club was released in 1999, TLS rightfully improved upon SSL, and replaced it. The major difference? It is issued by a reliable third-party entity, kinda like a notary, but globally acclaimed online. This entity is called a Certificate Authority (CA).
A TLS certificate has information related to the website owner’s identity and the public key for communications to be encrypted. Whenever a browser connects to a website with a TLS, the browser verifies it through the CA’s public key. Once authenticated, the browser establishes a secure connection with the web server using the information in the TLS certificate. This is a special moment that happens briefly, almost like a handshake that initiates a meeting, so that the two parties acknowledge each other, define the terms of their relationship (cryptographic algorithms to be used), and agree on how to proceed (session keys). This protects their connection from unwelcome inputs that have no business being in that transaction or relationship. Cyber criminals, I’m looking at you.
SSL versus TLS
As established, both SSL and TLS are online cryptographic protocols that enable secure connections between clients and servers. Following the same purpose, they have key differences.
| SSL | TLS | |
| Development | The first of its kind: Created by Netscape Communications Corporation (1994) | Its clear purpose was to replace SSL: Developed by Internet Engineering Task Force (1999) |
| Authentication | Authenticated only the server | Incorporated far more powerful authentication methods into its design; Authenticated both server and client browser |
| Perfect Forward Secrecy (PFS) | None | If the private key gets compromised, PFS ensures that previous communications can remain safe. Each session creates a unique key that lasts only for that one session. |
| Algorithms | Weak SSL 3.0 uses RSA and RC4 | Strong TLS 1.2 uses ECDHE and AES |
| Deprecation | Unsafe Officially deprecated | Safe Globally acclaimed |
My SSL certificate expired. What now?
Once expired, your SSL can no longer be trusted to secure your connection, and an attacker may be able to intercept and view the information being transmitted between browser and server. Such an event gives out security warnings, which can make your website visitors leave. It can’t be overstated how essential it is to renew your SSL before it expires.
How do I check if my SSL has expired?
Whether you are on Windows, Linux, or Mac OS, it is a lot more practical to check your SSL expiry date through your browser. Doing so means that you need not download a program to check it the hard way.
Checking SSL expiry date on Google Chrome
- Click the padlock icon in the address bar for the website.
- Click on Connection is secure.
- Click on Certificate is valid.
- Under Validity Period, check “Expires On” to validate that the SSL certificate is current.
Checking SSL expiry date on Microsoft Edge
- After clicking on the padlock icon, click on Connection is secure.
- Click the Certificate Icon opposite Connection is secure.
- Find the certificate.
Checking SSL Expiry date on Firefox
- Click Connection secure.
- Click More information.
- Click View Certificate.
- Find Validity.
SSL Certificate Expiry Vulnerability Impact
It’s literally like having an expired passport: On top of having questionable authenticity, this means that you are not able to comply with the latest security standards, leading to all kinds of vulnerability down the line. See, an SSL certificate declares that you are a trusted passenger- a trusted website- sailing the seven seas of the internet. Your website is legitimate. Your website is a cut above the rest. Customers can entrust their safety- their identity, their financial details- with you. See, the chosen icon for SSL is not just randomly a padlock.
SSL expiry can lead to outages likely to damage reputation, customer trust, and revenue. Several cases have been featured on the news: the actual event of forgetting to renew has happened to a gargantuan cloud platform, a software company of similar influence, a major music streaming service that gives you free access to millions of songs, and more. Look it up.
What is the maximum validity period for my SSL certificate?
SSL/TLS certificates cannot be issued for longer than 13 months (397 days). This change was announced by popular browsers, namely Google and Apple at CA/Browser Forum in March 2020.
Changes in the SSL Space
The duration of SSL validity used to be up to two years, but the infosec world keeps on working to protect connections by moving validity periods to shorter and shorter durations. This is in accordance with industry best practices that only serve to protect all. Fortunately, the practice accounts for time zone differences and prevents CAs like GlobalSign from mis-issuing a certificate that exceeds the validity requirement. It was adjusted to a year, and extremely soon it’s going to be down to 90 days.
90 Day Validity: When will it actually matter to you?
While there is not yet an official date for this change, Google has released a survey to the CAs at the CA/B Forum and is requesting feedback on its stated plans. The multinational tech company is likely to deliberate on everyone’s inputs, after which it will announce enforcement dates for all proposed changes. Don’t worry, we’re keeping our eyes glued to this. We’re keeping you posted on all developments.
Best SSL Practices in APAC
Choose a Reliable CA
The best CAs go beyond the fact that they are one of the longest standing CAs in the world. The best CAs under-promise and over-deliver.
Do they say they’re supportive? For 24/7 tech support, they literally come to your country and build a vigorous local presence.
Do they say they’re acclaimed worldwide? They continuously build newer infrastructure to anticipate enormous success for your organization, which always comes with ever-changing demands.
They walk the talk. They go through ultracareful third-party audits to maintain their security position. They value their own reputation. They keep themselves beyond reproach, so they can lift you to that level, too.
Guess which CA does this? Click here.
Choose the Right SSL Certificate
SSL certificates have different levels of validation. You pick one to suit its purpose, whether it’s for a blogging site, an enterprise website, or an epic ecommerce site. As a tip, it’s best to avoid multi-server certificates to prevent duplication of private keys. Why is duplication a no-no? If one of the servers is compromised, all others protected by your SSL face the same security risks.
Ensure Effective SSL Expiry Monitoring and Certificate Management
Your organization probably has a menagerie of SSL and other certificates, each with its own date of expiration. Certificate management is a burden, and you’re well-advised to automate. Once the 90-day validity pushes through, you will need to renew your certificates at least four (4) times every year.
GlobalSign has Automated Certificate Management Environment (ACME), which enables you to seamlessly monitor issuances, renewals, expirations, revocations, etc. at a glance. Originally created by the Internet Security Research Group (ISRG), ACME has a very real potential to shape the future of SSL/TLS Certificate Validity. We invite you to hop on the train and be ahead of the curve.
For our use cases, click here.
Expired SSL/TLS certificates can wreak havoc and cause a costly, high security risk headache for your team. A certificate inventory tool such as GlobalSign’s Atlas Discovery lets you gain a comprehensive overview of your organization’s certificates. With certificate automation via ACME, you get to prevent outages and downtime, too.
There is nothing more reassuring than knowing your digital certificates are secured with the help of PKI experts and a trustworthy partner.
Don’t wait for this event to impact your site encryption.
Don’t wait for such time when you’re no longer protected.
