SSL Certificate Validity Reduced to 47 Days After Apple Proposal (securityonline.info)

submitted 1 day ago by kid@sh.itjust.works to c/cybersecurity@sh.itjust.works

10 comments fedilink hide all child comments

top 10 comments

sorted by: hot top controversial new old

[-] drspod@lemmy.ml 28 points 1 day ago

There is an arguably much worse security issue which could potentially be caused by this change: If users become more likely to encounter expired certificate warnings, then they are more likely to have to click through those warnings and develop warning-fatigue, making them more vulnerable to accepting invalid certificates during an actual attack on their system.

It will be interesting to see whether CAs are capable of increasing their capacity by the 10x necessary just to serve the same number of customers. Presumably they will need to raise prices to accomplish this. Outages with certificate renewal systems will be almost inevitable - it's only a question of how frequently we see it.

[-] cron@feddit.org 10 points 1 day ago

Letsencrypt already renews all of their certificates every 60 days. Not much will change for the largest CA.

And as most admins are getting used to free certificates, paying for certs will become even less a thing.

[-] gezero_tech@lemmy.bowyerhub.uk 2 points 1 day ago

Let's see what the reduced funding from US gov will do.

[-] lily33@lemm.ee 4 points 1 day ago

They're already also offering 6-day certs, so capacity isn't a problem.

[-] bamboo@lemmy.blahaj.zone 5 points 1 day ago

This isn't an overnight change, we have 3 years until the 47 day certificates go into effect.

In terms of increasing their capacity by the 10x, having shorter certificate lifetimes means that CAs will have a shorter list of valid but revoked certificates, and also will have way less of valid certificates in the certificate transparency logs. These are checked constantly, so the reduced size means less costs serving this information.

CAs are already charging an arm and a leg for very little work of signing the certificates. Doing domain validation is an automated process, so unless the need is for OV certificates (which doesn't differentiate you anymore in modern browsers), CAs won't need to hire more people for issuing certificates. With Let's Encrypt being a free option that supports ACME, if CAs use this change as a cash grab, they'll probably see clients move away rather than put up with the outrageous costs.

[-] cron@feddit.org 9 points 1 day ago

The relevant timeline from the article:

Phased Implementation Timeline:

Until March 14, 2026: Maximum validity remains 398 days

Until March 14, 2027: Validity shortened to 200 days

Until March 14, 2028: Validity shortened to 100 days

From March 15, 2028 onward: Maximum validity reduced to 47 days

[-] lnxtx@feddit.nl 6 points 1 day ago

But price will be the same (47/365), right? Right...?

[-] cron@feddit.org 11 points 1 day ago

I think manual ordering of certificates will come to an end.

[-] FMT99@lemmy.world 11 points 1 day ago

I just kicked the last of our manually requested certs off our servers and replaced them with auto renewing short term certs. Replacing certs every year is a job I won't miss.

[-] Australis13@fedia.io 3 points 1 day ago

Ouch, that's going to hurt. I completely understand why, but still...

this post was submitted on 14 Apr 2025

23 points (89.7% liked)

Cybersecurity

6987 readers

374 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 2 years ago

MODERATORS

kid@sh.itjust.works

Lanky_Pomegranate530@midwest.social