HTTPS is the go-to security standard for websites. It has become so ubiquitous that most major web browsers, including Google Chrome and Mozilla Firefox, label a website as “not secure”, if it isn’t HTTPS. For a website to receive a HTTPS classification it needs to have been granted an SSL security certificate by members of the CA/B Forum. This is a group made up of certificate authorities and web browser developers that have been authorized to hand them out.
At the moment, when a website receives an SSL certificate it lasts for 825 days. This means the website will be HTTPS and not labeled as not secure for 825 days. It seems that Google thinks this is far too long because at a recent meeting of the CA/B Forum in Greece, the web giant proposed that certificates only be valid for 397 days. This would cut their duration from around two years and three months to just over one year and one month.
Why does it matter how long SSL certificates last?
There are two distinct camps to note in discussions on SSL certificates and HTTPS classification. The first camp is the browser makers, of which Google is the most prominent of all. Most browser developers expressed support for Google’s proposal for SSL certificates having shorter durations. In fact, they’ve all been pushing for shorter length certificates for years. It was only last year when they tried to cut the amount of time an SSL certificate was valid from three years to one before eventually compromising on just over two.
The people they compromised with, the other distinct camp in all of this, is the CAs or certificate authorities as they’re known. To them shorter durations means more certificates, which translates into more cost for the industry. The CAs have seen the duration of SSL certificate validation cut from eight years to five, then again to three, before only last year being cut again to just over two years.
What difference does it all make?
If this all sounds like a bit of a soap opera, you’d be right. There are a number of security related issues related to the proposed change from Google. These include SSL certificates being given out in error and even the revocation process not being effective. When malware filled sites or pages displaying phishing scams are discovered to have an SSL certificate and HTTPS classification, it can’t be guaranteed that revoking that certificate will effectively reclassify the site as just HTTP and consequently not secure. Shorter certificates mean this problem would take care itself more quickly.
There is something else to it though, and that is about who is in control of HTTPS. There is a train of thought being laid out by internet security experts Hashed Out, that says it is all a power play from the browser makers. They simply want to exert dominance over the CA/B forum and show them who is boss.
If the above is true then, it would seem to indicate that whether or not this proposed change form Google will make the internet more secure or not is an entirely subjective matter. It could be more effective to fix the bad certificate revocation process rather than shortening the length of time SSL certificates remain valid.
The one thing we do know, however, is that there wasn’t a vote on the proposed change that Google would like to see come into play in March next year. This means we’ll all be on the edge of our seats until the CA/B Forum next gets together and thrashes something out.