Google Proposes Reducing TLS Cert Life Span to 90 Days

  /     /     /  
Publicated : 23/11/2024   Category : security


Google Proposes Reducing TLS Cert Life Span to 90 Days


Organizations will likely have until the end of 2024 to gain visibility and control over their keys and certificates.



Google is proposing to reduce the life span of digital certificates used to secure websites and other online communications to just 90 days. Currently, public Transport Layer Security (TLS) certificates have a maximum validity of 13 months, or 398 days.
Certificate authorities issue
TLS certificates
(also called Secure Socket Layer, or SSL, certificates) with an expiration date. The life span of these certificates has been shrinking over the past few years, since frequently cycling them makes it harder for attackers to use fraudulent certificates.
In the Chromium Projects “
Moving Forward, Together
” roadmap, Google suggested the change to 90 days could be made either in the form of a future policy update or as a CA/B Forum Ballot Proposal. If the CA/B Forum — a consortium of browser makers, certificate authorities, and other stakeholders in the digital certificate ecosystem — doesnt formally make 90 days the industry standard, Google can unilaterally force this change on the industry by making the shorter validity period a requirement for the Chrome root program. Browsers control their own root program requirements, so browser makers dont have to wait for formal rule changes from the CA/B Forum. By virtue of Chromes market share, if
Google makes this change for Chrome
, that makes it a de facto standard that every commercial public certificate authority would have to follow.
The impact goes beyond browser makers and certificate authorities because organizations will need to
renew their digital certificates more often
. The process, if handled manually, can be brittle because it involves identifying certificates about to expire, getting new ones issued, revoking the old ones, and deploying the new certificates. With the new validity period, IT security teams will have to handle renewals four times a year for each certificate — an arduous task considering most enterprises have many certificates and that number is growing rapidly.
Google did not provide a specific timeline in its roadmap, but based on how the changes have unfolded in the past, the new validity period will likely take effect by the end of 2024, which gives organizations time to gain visibility and control over their keys and certificates.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Google Proposes Reducing TLS Cert Life Span to 90 Days