In a move that’s likely to cause further compliance headaches for small businesses and website owners, Apple has announced that its Safari browser will reject HTTPS certificates older than 398 days, which comes to slightly over one year. The company revealed this at a consortium of certification authorities (49th CA/Browser Forum) convened a few days ago.
HTTPS certificates which are based on regularly updated TLS encryption standards, tell Internet users that the connection to the website they’re visiting is secure. The maximum TLS certificate lifetime in browsers has gone from 10 years in the past to a little over 2 years presently.
Today's big news: One year max public TLS certs are coming, starting 1 Sept 2020, if you want to be trusted in Safari.
— Dean Coclin (@chosensecurity) February 19, 2020
Apple’s announcement means any website that obtains a TLS certificate after August 31, that’s valid for more than 398 days will not load as it’s supposed to on the Safari browser. Visitors to such sites will see a ‘Your connection is not private’ notification instead.
In other words, Safari will reject its HTTPS certificate. But a website that already has a certificate which will expire any time after September 1, 2020 will load as usual on the browser. And even though certification authorities have not agreed with Apple on the idea of this 1 year lifetime, domain owners will be forced to toe the line anyway.
Security developer Michal Špaček feels it’s good news since some browsers omit online certificate status checks for the sake of speeding up a website’s loading time. He thinks even a one year cap on HTTPS certificates’ validity is too long and should be reduced further.
In the mean time, all website owners can do is get with Apple’s latest orders or risk broken pages on billions of devices, potentially reducing their audience reach.