Home / Blogs

Risk vs Benefit: The Impact of Shorter 90-Day SSL Certificate Life Cycles

In today’s digital age, securing your website and ensuring your users’ safety has never been more critical. Secure sockets layer (SSL) certificates are the go-to solution for securing websites by encrypting the data transmitted between web servers and browsers.

Historically, SSL digital certificates could be valid for years, after which they had to be renewed or replaced. Following the announcement by Apple® to reduce certificate validity from 27 months to 13 months on its Safari® browsers, many others including Google® adopted the same approach on its Chrome browser beginning in September 2020. As a result, many certificate authorities (CAs) started to reduce the validity period of the SSL certificates they issue. Most recently, Google announced that it would further reduce certificate validity on Chrome to 90 days. Since Chrome is one of the most widely used browsers with approximately 65% market share1, we expect many other browsers to follow suit.

SSL certificates issued for websites must comply with the new maximum validity period to be trusted by Chrome users. Shorter certificate life cycles bring about benefits to improve security and reduce the risks associated with long-lived certificates. Here are some of the risks associated with longer-lived SSL certificates:

  1. Increased vulnerability to attacks: Longer-lived SSL certificates offer a longer window of opportunity for hackers to exploit vulnerabilities and launch attacks on websites. By limiting the certificate’s lifespan to 90 days, the potential damage that could be caused by an attack is significantly reduced.
  2. Lack of agility: Websites using longer-lived SSL certificates are less agile in responding to changes in their security requirements. With a 90-day SSL certificate life cycle, website administrators can quickly update their security measures to adapt to emerging threats and vulnerabilities.
  3. Lack of accountability: Longer-lived SSL certificates reduce accountability as it becomes challenging to attribute security incidents to specific certificates or web servers. Shorter-lived SSL certificates increase accountability, as security incidents can be traced back to specific certificates and web servers, making it easier to identify the cause and take corrective action.

One of the primary challenges that organizations will face with shorter SSL certificate life cycles is the increased frequency of certificate renewals. Managing SSL certificates can be a complex and time-consuming task, especially for organizations with a large number of websites and web applications. If mismanaged, certificates could expire and pose significant risks to website security and the integrity of user data. Here are some of the risks:

  1. Data breaches: When an SSL certificate expires, the secure connection between the website and its users is broken, making it possible for hackers to intercept and steal sensitive data such as login credentials, credit card numbers, and personal information. This creates opportunities for cybercriminals to steal sensitive data transmitted between a website and its users.
  2. Loss of trust: When users see an expired certificate warning message in websites, they may perceive the website as insecure and untrustworthy. This negatively impacts user trust in the website and its owner, leading to a loss of business and reputation damage.
  3. Compliance issues: For websites that handle sensitive user data such as healthcare records, financial information, or other regulated data, certificate expiration can result in compliance issues. Compliance standards such as HIPAA, Payment Card Industry Data Security Standard (PCI DSS), and General Data Protection Regulation (GDPR) require websites to maintain SSL certificates and ensure they’re valid and up to date.
  4. Service interruptions: An expired SSL certificate can cause service interruptions that can lead to downtime and lost revenue for businesses, as users may be unable to access the website or may receive warning messages that the website is not secure.
  5. Search engine penalties: Search engines such as Google consider SSL certificates to be a ranking factor and may penalize websites that have expired certificates. Such search engine penalties can negatively impact website rankings and traffic for businesses.

With certificates expiring every 90 days, organizations must renew their certificates more frequently. This requires careful planning, investment in certificate management tools, and adjustments to processes and procedures to manage the increased volume of certificate renewals. Here are some best practices to reduce the risks associated with certificate expiration:

  1. Automated certificate management: Use automated certificate management tools that can track and renew certificates automatically, reducing the risk of manual errors and certificate expirations.
  2. Centralized certificate management: Centralize certificate management to reduce the complexity of certificate renewal and to ensure consistency across multiple websites and web applications.
  3. Regular certificate monitoring: Monitor SSL certificates regularly to detect any issues, such as certificate expirations, and take corrective action promptly.
  4. Use of CAA records: Use certificate authority authorization (CAA) records. Domain owners can specify which CAs are authorized to issue SSL certificates for their domain, and can even specify specific certificate types or validation methods that should be used, giving domain owners greater control over the SSL certificate issuance process, and can help prevent the issuing of fraudulent or unauthorized certificates.

In summary, while the 90-day SSL certificate life cycle offers improved security, agility, and accountability, it may pose some challenges for organizations, especially those with a large number of web properties. However, with careful planning, investment in automated certificate management tools, and adjustments to their processes and procedures, organizations can effectively manage shorter SSL certificate life cycles and ensure the security of their websites and web applications.

By Sue Watts, Global Marketing Leader, Digital Brand Services, CSC

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Cybersecurity

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix