Embracing Change: Google’s Move to Reduce TLS Certificate Lifespans

In the ever-evolving realm of cybersecurity, change is the only constant. In March, a shift was set in motion as Google, through The Chromium Projects, laid out a plan to reshape the landscape of Transport Layer Security (TLS) digital certificates. The proposal, unveiled within the roadmap titled “Moving Forward, Together,” seeks to reduce the lifespan of these certificates from 398 days to 90 days.

TLS, or Transport Layer Security certificates, often referred to as Secure Sockets Layer (SSL) certificates, serve as digital credentials that play a crucial role in securing online communication. These certificates go beyond the familiar padlock icon and “https” in a website’s URL. They provide vital assurances to both website operators and visitors.

TLS certificates authenticate the identity of a website or domain, ensuring that users are connecting to the legitimate and intended destination. This authentication process safeguards against domain spoofing, a common tactic used by cybercriminals to deceive users. While this move promises enhanced reliability and robustness for web operations, it also demands a profound transformation in how organizations manage their digital certificates, particularly in automation.

Read on to learn more about TLS certificates lifespan reduction and how your organization can face this with the help of BreachLock’s attack surface management.

Google’s Move to Reduce Certificate Lifespan

In March, a significant proposal emerged within the Chromium Projects, presented to the CA/Browser Forum—a coalition encompassing certification authorities (CAs), browser developers, and other key stakeholders. This proposal aims to reduce the validity period of SSL/TLS certificates from 398 days to a mere 90 days. While this proposition remains subject to finalization, the potential for such a drastic reduction in certificate lifespan should serve as an unmistakable wake-up call for organizations. They are now compelled to prioritize bolstering their security controls and visibility of public keys and certificates, recognizing that this proposal signifies a fundamental shift in the landscape of certificate management.

A decade ago, the prevailing five-year validity period of certificates reflected a different era. During that time, obtaining a certificate for a web server often led to complacency, with teams overlooking the need for regular monitoring of certificate expiration or renewal. This complacency posed the risk of certificate-related outages. The subsequent reduction in certificate validity to 398 days marked a crucial turning point, compelling teams to establish a routine for vigilant expiration checks.

To its credit, Google is taking a cooperative approach, suggesting that the shift to 90-day lifespans could occur through either a future policy update or a CA/B Forum Ballot Proposal.

This move is not entirely unprecedented. The reduction from 2 years to 1 year in 2020 was driven by Apple’s similar initiative, which signaled their intent to limit certificate validity periods to 1 year. This prompted the CA/B Forum to endorse the reduction in certificate lifespans.

The primary impact of transitioning to 90-day certificate lifespans is expected to be borne by organizations rather than CAs or browsers. With these shorter lifespans, organizations will be required to renew their digital certificates more frequently—four times a year instead of the previous once-a-year renewal. This necessitates their readiness to identify certificates nearing expiration, request new certificates, and revoke expiring ones promptly. Without automation, this becomes a daunting task, especially considering the exponential growth in the number of certificates employed by organizations.

Why This Move is Important?

Google’s recent initiative marks a significant change in SSL/TLS certificate management practices. It highlights the urgent need for organizations to adapt quickly and comprehensively. According to Gartner, there is a projected 45% increase in cyber-attacks by the end of 2025. Therefore, Google’s recent initiative to reduce SSL/TLS certificate lifespans is of paramount importance. This change is crucial in the face of an escalating cyber threat landscape. Here’s why:

• • Heightened Security: The reduction of certificate validity periods emerges as a critical security measure. By curtailing the time compromised certificates remain active, this initiative narrows the window of opportunity for cybercriminals.
  • Efficient Management: With the introduction of shorter certificate lifespans, organizations are compelled to streamline their certificate management processes. This mandate goes beyond mere compliance; it’s about ensuring that organizations can efficiently track, renew, and replace certificates as required. Effective management becomes essential in maintaining operational continuity and trustworthiness.
  • Regulatory Alignment: The evolving threat landscape necessitates continuous adaptation. Compliance with dynamic industry standards is not merely a box-ticking exercise, it’s a demonstration of an organization’s commitment to security and reliability. Proactively aligning practices with evolving standards ensures that organizations remain resilient in the face of regulatory changes and user expectations.
  • Cybersecurity Resilience: In a world where cyber-attacks are projected to surge, organizations must fortify their cybersecurity resilience. This shift in certificate management aligns with the broader effort to stay ahead of threats. The ability to swiftly respond to potential vulnerabilities and threats becomes a cornerstone of cyber resilience.

How your organization can be Impacted?

The move to shorter SSL certificate lifecycles introduces a range of challenges and risks for organizations. Effective certificate management, including monitoring, renewal automation, and compliance adherence, is crucial to mitigate these risks and maintain the security, trustworthiness, and operational continuity of websites and web applications. Failure to address these challenges can have serious consequences like

• • • Data breaches: Expiring SSL certificates break the secure connection between websites and users, opening the door for hackers to intercept and steal sensitive data. This includes login credentials, credit card information, and personal data.
    • Loss of trust between customers: Users encountering an expired certificate warning message may perceive the website as insecure and lose trust in both the website and its owner. This loss of trust can lead to a decline in business as users may hesitate to engage with the site, damaging the organization’s reputation.
    • Compliance Issues: Organizations handling sensitive user data, such as healthcare records or financial information, are subject to regulatory compliance standards like HIPAA, PCI DSS, and GDPR. These standards mandate the maintenance of valid SSL certificates. Certificate expiration can lead to compliance breaches, potentially resulting in legal repercussions and fines.
    • Interruptions in service: An expired SSL certificate can cause service interruptions, leading to downtime. During this downtime, businesses may lose revenue as users are unable to access the website or may receive security warning messages, discouraging them from proceeding.
    • Search engine penalties: Search engines like Google use SSL certificates as a ranking factor. Websites with expired certificates may face penalties in search engine rankings, leading to reduced organic traffic. This can be detrimental for businesses reliant on online visibility and customer acquisition through search engines.

Is 90 Days the Correct Certificate Lifespan?

The debate surrounding the ideal SSL/TLS certificate lifespan, particularly the move to reduce it to 90 days, raises critical questions about the balance between security and practicality. While a 90-day validity period is shorter than previous durations, some argue that it might not be the optimal length for improving certificate revocation and overall security. Concerns are also raised about the alignment of this period with industry transition timelines and domain registration cycles, which typically follow annual patterns. These considerations prompt discussions about alternative approaches to incentivize automation and rapid certificate replacement while maintaining the agility of the web Public Key Infrastructure (PKI).

In addition to these considerations, there are practical challenges associated with shorter certificate lifespans. Organizations, especially enterprises, would face increased workloads in managing certificates with 90-day validity periods. Traditional manual tracking methods, often reliant on spreadsheets and notifications, become impractical with such short lifespans, increasing the risk of human errors. Moreover, the higher workload and shorter renewal cycles raise concerns about potential outages due to mismanaged certificates, a factor that could have substantial economic implications.

BreachLock’s ASM: For Your SSL/TLS Security Needs

With BreachLock’s ASM, we focus on identifying vulnerabilities associated with SSL/TLS assets, ensuring the integrity and security of your digital infrastructure. With ASM, we offer continuous monitoring, ensuring the integrity and security of your SSL certificates. Beyond monitoring, we assist in asset discovery and inventory, granting you full visibility into your digital infrastructure.

BreachLock offers automated, AI-powered, and human-delivered solutions in one integrated platform based on a standardized built-in framework that enables consistent and regular benchmarks of attack techniques, security controls, and processes. By creating a standardized framework, BreachLock can deliver enhanced predictability, consistency, and accurate results in real-time, every time.

Make BreachLock your trusted partner to enhance your overall cybersecurity.

Schedule a discovery call with one of our experts to discover how BreachLock’s ASM can help your organization.