The CA/Browser Forum is a group of certificate authorities (CAs) and software vendors, including browser developers, working together to establish and maintain security standards for digital certificates used in Internet communications. Currently, the lifespan and the Domain Control Validation (DCV) of those certificates is 398 days, but the majority of certificate authorities agreed that this is too long in today's security landscape. The CA/Browser Forum has voted to significantly reduce the lifespan of SSL/TLS certificates over the next 4 years, with a final lifespan of just 47 days starting in 2029. SSL/TLS certificates are digital files that enable secure communication over the internet (HTTPS) by encrypting data and authenticating websites. This gradual shortening of certificate lifespans gives impacted entities enough time to implement and transition to automated certificate renewal systems, such as those offered by cloud providers, Let's Encrypt, or certificate providers that support the ACME protocol. This proposal would gradually reduce the lifespan of certificates over the next four years from its current 398-day lifespan to 47 days in March 2029. These certificates are also used to authenticate the website and guarantee data integrity, meaning the information exchanged between the user and the server hasn't been tampered with. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. Earlier this year, Apple proposed a motion to reduce certificate lifespans, which Sectigo, the Google Chrome team, and Mozilla endorsed. The goal is to minimize risks from outdated certificate data, deprecated cryptographic algorithms, and prolonged exposure to compromised credentials. It also encourages companies and developers to utilize automation to renew and rotate TLS certificates, making it less likely that sites will be running on expired certificates. When those certificates expire without renewal, users see a warning on their browser informing them that their connection isn't private or secure. However, it is expected to force more frequent revalidation of companies requesting certificates, encourage automation, and ultimately make the ecosystem more agile and secure.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 14 Apr 2025 17:50:25 +0000