Over the last few months Google have made announcements which could see an industry shift in different areas of the browser market; from 90 day certificate validity to removal of secure website indicators. But what do these announcements mean for the industry and what action should businesses take?
- 90 day certificate validity
- Removal of secure website indicators
90 Day Certificate Validity
Probably the biggest shakeup in the industry right now is the unveiling of Google’s plan to reduce the lifespan of SSL/TLS certificates to 90 days. Current validity for such certificates is 13 months (398 days), but this could see the start of a shift for the browser industry, as you can bet the other browsers are likely to follow suit. The proposal certainly comes with a lot more questions than answers at this stage but let’s look at some top level points.
No date of implementation yet
This is not the first time there’s been a decrease in the validity term of SSL/TLS certificates, having previously decreased from 3 years to the current 13 months. There have been no further details revealed yet as to when this change might occur.
Opportunity to improve business security and mitigate risk
Whilst the thought of an increase in certificate numbers sounds like a headache brewing for your IT team, it is an opportunity to improve business security and mitigate risk. A decrease in certificate lifecycles will reduce ecosystem reliance on revocation, meaning less website down-time and a smaller window of opportunity for threat actors. Additionally, shorter-lived certificates will decrease the impact of unexpected Certificate Transparency Log disqualifications.
It’s time to review the way you manage SSL/TLS certificates
Now whilst there isn’t a date for this change yet, it’s a prime opportunity to get ahead of the curve and review the way you manage your SSL/TLS certificates. Start by looking at what certificates you have within the business, and the processes in place to manage them. Quite often it can be a time-consuming and error-prone process, so it’s the opportune moment to get your business ready for the upcoming changes and automate your certificate management with ACME.
Removal of Secure Website Indicators
The lock icon on a website URL is a symbol of security and trustworthiness. But Google has announced its plans to switch it up in the Chrome 117 update with a new “variant of the tune icon” which doesn’t directly show that a site is secure or should be trusted.
New Google Chrome ‘tune icon’. Image Source: BleepingComputer
It’s not that the information on the HTTPS won’t be there, it just won’t be represented on the top banner, instead it will be moved to a submenu triggered by clicking the new “tune” menu. The update to Chrome 117 is due to be released in September 2023.
The Final Word
Google are known for taking some risks to push a shift in the market, and with a 65% market share can you blame them? But it has to be asked, could the removal of secure website indicators be deliberately in line with the 90 day certificate lifespan plans, or just a convenient coincidence?
Either way, it’s highlighted the importance of automating certificate management to stay up to date with the industry changes as it’s certainly shaping up to be an interesting year when it comes to SSL/TLS certificates and one to watch!