A new CA/Browser Forum proposal being discussed now would shorten maximum certificate lifetimes to 13 months. This comes after lifetimes were reduced from 39 to 27 months, effective March 2018. If passed, these changes would go into effect in March 2020. This blog analyzes the merits of this proposal and how the proposed security benefit compares with the impact on certificate users.
For many years, certificates that protected websites had a maximum lifetime of three years. These certificates were only issued after carefully vetting all the information that was contained in the certificate and could be revoked if the information was no longer valid.
There was a previous attempt to reduce certificate lifetimes to one year, back in early 2017, which was rejected by the CA/B Forum. Now, the same proposal is being made again. What is behind these proposals, and do they do anything to increase the security of digital certificates?
On the modern internet, digital certificates are essential for protecting traffic to and from websites, including the highest value ones. These communications may include all sorts of sensitive information, including payment information, passwords, protected health information, trade secrets and other work-related confidential information. These websites must protect the three pillars of information security: confidentiality, integrity and availability. All communications need to be encrypted, with no possibility to modify them, and no downtime.
To guarantee this, the maintainers of such websites have strict controls about when and how their servers can be modified, and what software can run on their servers. In many cases, especially in the financial and healthcare industries, there are strict audit and compliance requirements that govern these change management procedures.
Moving to shorter certificate lifetimes, especially below one year, as has been suggested might be coming in the near future, has significant costs. Each change must be carefully tested to make sure it has been made correctly and does not negatively impact the security of the system. Making such changes in an automated way is attractive, but significantly increases the complexity of such systems, and increases the attack surface by introducing new software agents on critical systems. Even worse, those software agents connect to the internet and download certificates directly onto highly trusted systems. Significant care needs to be taken to make sure this does not adversely impact the security of the system.
We believe the goal of improving certificate security is better served by allowing more time for companies to continue their growing use of automation, to test their systems and to prepare for these changes. The primary point is that any benefit of reducing certificate lifetimes is theoretical, while the risks and costs to make the changes, especially in a short period of time, are real.
So what is the proposed security benefit that justifies this cost? It is far from clear that there is any at all. This change has absolutely no effect on malicious websites, which operate for very short time periods, from a few days to a week or two at most. After that, the domain has been added to various blacklists, and the attacker moves on to a new domain and acquires new certificates.
Another benefit that is sometimes suggested is that shorter lifetime certificates allow quicker transitions when the compliance rules change. Two-year certificate lifetimes mean that certificates that are issued today will still be around two years from now. But isn’t it the responsibility of those managing the certificate ecosystem to come up with compliance rules that can endure for at least that long? Constantly changing the rules for certificate issuance with little lead time does not give those who deploy or rely upon certificates adequate time to become aware of the changes, analyze them and determine the impact on their systems, and make adequate preparations to update their systems responsibly, including complying with all the other regulatory requirements.
It is also important to note that this change applies to all companies, regardless of their situation, on a relatively short timeline. These sorts of short-term mandates run the risk of diverting resources from other, more critical security improvements that are underway at many companies.
Rapidly reducing certificate lifetimes to one year, or even less, has significant costs to many companies which rely on digital certificates to protect their systems. These costs are not offset by any significant security improvement, and these changes have no impact on bad actors who are engaged in illegal activity or impersonating legitimate companies. These changes make it significantly more difficult for many companies to protect their internet traffic and customers, with no benefit, and therefore DigiCert has no choice but to oppose these changes.