As the major browser makers and certificate authorities mull over a proposal to significantly reduce the lifespan of TLS certificates, Mozilla is planning to complement the change in the coming months, regardless of the outcome of a vote on the issue by a key industry group.
The CA/Browser Forum, which sets policies for certificate authorities and browser makers, has been considering the change for some time and the proposal has significant support among the browser vendors. In September 2019 the group voted on an earlier version of the proposal, which failed, although all of the certificate consumers voted in favor of it, including Apple, Cisco, Microsoft, Google, and Mozilla. An updated version of the proposal that would reduce the lifespan of TLS certificates to a maximum of 398 days is active now.
Currently, the policy allows for a maximum lifespan of 825 days, or about 27 months. A lot can change in that amount of time, and that’s one of the main reasons that Mozilla and other companies are supporting the change. TLS certificates serve several purposes, including the enablement of encrypted sessions between clients and the site, as well as proving that the site is what it says it is.
“TLS certificates provide authentication, meaning that you can be sure that you are sending information to the correct server and not to an imposter trying to steal your information. If the owner of the domain changes or the cloud service provider changes, the holder of the TLS certificate’s private key (e.g. the previous owner of the domain or the previous cloud service provider) can impersonate the website until that TLS certificate expires,” Ben Wilson, technical program manager at Mozilla, said in a post detailing the company’s position.
“Keys valid for longer than one year have greater exposure to compromise."
Long lifespans for TLS certificates can be problematic in a number of ways aside from the potential for impersonation. In order to provide compatibility with various browsers and client systems, certificates support several ciphersuites for encryption and hash algorithms for signatures. That’s all fine until there’s a serious issue with one of the ciphersuites or hask algorithms that necessitates revoking and reissuing certificates. This is a relatively rare occurrence, but when it happens it’s a major disruption for site owners, CAs, and individuals trying to make a secure connection to an affected site.
In recent years, collisions discovered with both the SHA-1 and MD5 hash algorithms put certificates signed with one of those algorithms in jeopardy for forgery. The issues were public, but because of the long lifespans of TLS certificates at the time the collisions were disclosed, it took many years to phase out all of the affected certificates. Reducing the lifespan of certificates would mitigate this kind of problem while also limiting the amount of time a given keypair is valid.
“Keys valid for longer than one year have greater exposure to compromise, and a compromised key could enable an attacker to intercept secure communications and/or impersonate a website until the TLS certificate expires. A good security practice is to change key pairs frequently, which should happen when you obtain a new certificate. Thus, one-year certificates will lead to more frequent generation of new keys,” Wilson said.
The current CA/Browser Forum proposal would have the 398 day lifespan go into effect on Sept. 1 if it passes. But even if the proposal fails, Wilson said Mozilla intends to change its policy to limit certificate lifespans to 398 days, and all of the CAs in Mozilla’s Certificate Program said they would implement the change, as well.
In March, Apple announced that it would be enforcing the same policy for all TLS certificates issued on or after Sept. 1.