web analytics

Apple Enrages IT — 45-Day Cert Expiration Fury – Source: securityboulevard.com

Rate this post

Source: securityboulevard.com – Author: Richi Jennings

A woman holds up a calendarLudicrous proposal draws ire from “furious” systems  administrators.

Apple wants to limit website certificate validity to just 45 days. Cupertino’s iPeople propose to change Safari to reject SSL/TLS/HTTPS sites whose certificates expire “too far” into the future. Is it April 1 already?

First Google wants the cert lifespan to be 90 days, now this? In today’s SB  Blogwatch, we wonder why they don’t go the whole hog and drop it to an hour.

Your humble blog­watcher curated these bloggy bits for your enter­tain­ment. Not to mention:  Bunny boing.

CA/B Testing

What’s the craic? Jessica Lyons reports: Apple’s ‘nightmarish’ SSL/TLS cert lifespan cuts

Headache for busy IT security teams
Apple wants to shorten SSL/TLS security certificates’ lifespans, down from 398 days now to just 45 days by 2027. … The Apple proposal [is] a draft ballot measure that will likely go up for a vote among Certification Authority Browser Forum (CA/B Forum) members in the upcoming months.

Lifespans of certs have been gradually decreasing over the years in an ongoing effort to boost internet security. Prior to 2011, they could last up to about eight years. … Apple’s proposal would shorten the max certificate lifespan to 200 days after September 2025, then down to 100 days a year later and 45 days after April 2027. The ballot measure also reduces domain control validation (DCV), phasing that down to 10 days after September 2027.

Shorter lifespans improve internet security overall [but] the burden of managing these expired certs will fall squarely on the shoulders of systems administrators.

Those poor, overworked sysadmins. Where la Lyons goes, so must Nick Farrell: Apple makes systems administrators furious

Apple will, of course, bleat
The fruity cargo cult … made systems administrators unfortunate enough to work on its software furious with a cunning plan to drastically cut the lifespan of SSL/TLS security certificates. … If approved, it will affect all Safari certificates.

However, systems administrators will be heavily responsible for managing these more frequent renewals. … The simple answer would be for system administrators to shift their companies off Safari and onto something that does not require updating so often. Apple will, of course, bleat that it is not so secure, but then we are talking about Safari.

Esper

AWS

Horse’s mouth? Apple’s collaborator, Sectigo, has this to say: Draft Ballot to Shorten Certificate Lifespan

There’s logic behind this
On October 9, during the second day of the fall CA/Browser Forum Face-to-Face meeting, Apple revealed that it had published a draft ballot … to incrementally phase maximum term for public SSL/TLS certificates down to 45 days between now and 2027. The draft also phases down the DCV reuse period over time, until it reaches 10 days in 2027.

This move from Apple follows Google’s … in­ten­tion to reduce the maximum val­i­dity … from 398 days to 90 days, in a future policy update or a CA/B Forum ballot proposal. … It’s important to note that it is just in the proposal for discussion stage, but it clearly sends a strong message to the industry.

But although there’s logic behind this, the gradual decrease in certificate lifespans will no doubt prove a headache for busy IT security teams juggling with lots of certificates expiring at different times. … Companies that use manual methods for tracking and monitoring certificate[s] will soon find themselves overwhelmed.

But is it really more secure? Yes, according to bawolff, who explains why:

The main issue is lack of a working revocation mechanism. … We don’t have a really good way of revoking keys after something bad happens. We have some bad ways, but they kind of suck.

Certificate revocation sucks? How so? Mike Pellatt counts the ways:

OCSP is being deprecated, thanks to well-documented privacy issues.
CRL lists are hard to trust and potentially a major performance hit.
Reducing cert lifespan is, probably, the only mitigation possible for what is, at its core, a broken infrastructure.

Seems like a good idea then? Not so fast; reg worries the cure might be “worse than the disease:”

I’ve seen this sort of thing over and over again as protocols are removed from browsers … with the result being that people have to use old versions to manage … old stuff that is no longer being supported. This forces you to use an old browser that will likely get hacked if you forget and open a modern site. … I had this with UPSs, printers, data acquisition systems, lab testing equipment, etc.

[And it] will result in more expired certs, meaning more people will be trained to ignore expired certs. … Even if the updates are automated, the real risk is that the signing cert is hacked, and that will just keep getting used in automation. The thing that needs quicker response time is invalidation. The same logic led to decades of 30-day password expiry.

And u/fsweetser agrees:

I’ve worked with a good number of devices where you literally can’t update the cert [except] via interactive web login, period. … This is going to be a pain point that will likely lead to, “Yeah, just ignore the cert errors.”

Any other unintended consequences? This Anonymous Coward dreams up a doozy:

The problem [is] as the expiry horizon shortens, the need to automate the replacement increases. And that mass automation will provide an avenue for an attack itself — especially for 5-eyes agencies.

Meanwhile, erichocean sounds slightly sarcastic:

Remember: The most secure device is a device that doesn’t work at all. Thank you SSL/TLS cert lifespan cuts for making this a reality. Well done, everyone.

And Finally:

Starts off hard; finishes awwwww

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weird­est web­sites—so you don’t have to. Hate mail may be directed to  @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past per­formance is no guar­antee of future results. Do not stare into laser with re­maining eye. E&OE. 30.

Image sauce: Brooke Lark (via Unsplash; leveled and cropped)

Recent Articles By Author

Original Post URL: https://securityboulevard.com/2024/10/apple-cert-lifespan-fight-richixbw/

Category & Tags: Application Security,AppSec,Cloud Security,Cybersecurity,Data Privacy,Data Security,Deep Fake and Other Social Engineering Tactics,DevOps,DevSecOps,Editorial Calendar,Endpoint,Featured,Governance, Risk & Compliance,Humor,Identity & Access,Identity and Access Management,Incident Response,Industry Spotlight,IOT,IoT & ICS Security,Mobile Security,Most Read This Week,Network Security,News,Popular Post,Securing Open Source,Securing the Cloud,Securing the Edge,Security at the Edge,Security Awareness,Security Boulevard (Original),Security Challenges and Opportunities of Remote Work,Security Operations,Social – Facebook,Social – LinkedIn,Social – X,Social Engineering,Spotlight,Threats & Breaches,Zero-Trust,90-day certificates,90-day TLS certificate validity,Apple,Apple Safari,browser,Browser Security,CA/B Forum,CA/Browser Forum,CAB Forum,certificate,Certificate and Key Lifecycle Management,Certificate and Key Management,Certificate Automation,mobile safari,Safari,SB Blogwatch,Sectigo – Application Security,AppSec,Cloud Security,Cybersecurity,Data Privacy,Data Security,Deep Fake and Other Social Engineering Tactics,DevOps,DevSecOps,Editorial Calendar,Endpoint,Featured,Governance, Risk & Compliance,Humor,Identity & Access,Identity and Access Management,Incident Response,Industry Spotlight,IOT,IoT & ICS Security,Mobile Security,Most Read This Week,Network Security,News,Popular Post,Securing Open Source,Securing the Cloud,Securing the Edge,Security at the Edge,Security Awareness,Security Boulevard (Original),Security Challenges and Opportunities of Remote Work,Security Operations,Social – Facebook,Social – LinkedIn,Social – X,Social Engineering,Spotlight,Threats & Breaches,Zero-Trust,90-day certificates,90-day TLS certificate validity,Apple,Apple Safari,browser,Browser Security,CA/B Forum,CA/Browser Forum,CAB Forum,certificate,Certificate and Key Lifecycle Management,Certificate and Key Management,Certificate Automation,mobile safari,Safari,SB Blogwatch,Sectigo

Views: 2

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post