Some of Our Sources
- Slashdot
- Techcrunch
- Team Treehouse
- Pearsonified
- TutsPlus - Design
- My Ink Blog
- Web Design Ledger
- Stylized Web
- Codrops
- Daily Now
Help Webnuz
Referal links:
August 18, 2019 07:34 pm
Original Link: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/CCgyGm8zBuE/should-https-certificates-expire-after-just-397-days
Should HTTPS Certificates Expire After Just 397 Days?
Google has made a proposal to the unofficial cert industry group that "would cut lifespan of SSL certificates from 825 days to 397 days," reports ZDNet.No vote was held on the proposal; however, most browser vendors expressed their support for the new SSL certificate lifespan. On the other side, certificate authorities were not too happy, to say the least. In the last decade and a half, browser makers have chipped away at the lifespan of SSL certificates, cutting it down from eight years to five, then to three, and then to two. The last change occured in March 2018, when browser makers tried to reduce SSL certificate lifespans from three years to one, but compromised for two years after pushback from certificate authorities. Now, barely two years later after the last change, certificate authorities feel bullied by browser makers into accepting their original plan, regardless of the 2018 vote... This fight between CAs and browser makers has been happening in the shadows for years. As HashedOut, a blog dedicated to HTTPS-related news, points out, this proposal is much more about proving who controls the HTTPS landscape than everything. "If the CAs vote this measure down, there's a chance the browsers could act unilaterally and just force the change anyway," HashedOut said. "That's not without precendent, but it's also never happened on an issue that is traditionally as collegial as this. "If it does, it becomes fair to ask what the point of the CA/B Forum even is. Because at that point the browsers would basically be ruling by decree and the entire exercise would just be a farce." Security researcher Scott Helme "claims that this process is broken and that bad SSL certificates continue to live on for years after being mississued and revoked -- hence the reason he argued way back in early 2018 that a shorter lifespan for SSL certificates would fix this problem because bad SSL certs would be phased out faster." But the article also notes that Timothy Hollebeek, DigiCert's representative at the CA/B Forum argues that the proposed change "has absolutely no effect on malicious websites, which operate for very short time periods, from a few days to a week or two at most. After that, the domain has been added to various blacklists, and the attacker moves on to a new domain and acquires new certificates."Read more of this story at Slashdot.
Original Link: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/CCgyGm8zBuE/should-https-certificates-expire-after-just-397-days
Share this article:
Tweet
View Full Article
Slashdot
Slashdot was originally created in September of 1997 by Rob "CmdrTaco" Malda. Today it is owned by Geeknet, Inc..More About this Source Visit Slashdot