Google’s 90-Day Digital Certificate Proposal: Better Security, More Work


Posted on by Murali Palanisamy

It appears that the validity period for Transport Layer Security (TLS) certificates, also known as Secure Socket Layer (SSL) certificates, is once again going to shrink – at least if Google has its way. The internet giant has proposed a new validity period of only 90 days, down from the current 398 days

 

Google has the option of effecting this change via a CA/Browser Forum ballot proposal. But if that fails, it can simply force the change by making 90-day validity a requirement for the Chrome root program. Given Chrome’s 62% market share, this move would force commercial public certificate authorities (CAs) to make 90 days the de facto standard.

 

In other words, 90-day digital certificates are in the future for enterprises, most likely as soon as spring of 2024. This will pose some significant challenges, particularly for companies with a large number of certificates to manage. Specifically, it will quadruple the amount of work required to stay current. 

 

The Foundation of Trust

Keeping certificates current is extremely important, as expired certificates can cause significant problems. The most obvious consequence is service outages for commercial websites and revenue generating web-facing applications. In fact, 82% of all organizations experience certificate-related network outages every year. 

 

When a certificate expires, web visitors encounter an intimidating warning screen which casts doubt on the company’s commitment to security and privacy and can tarnish their reputation. 

 

There are other problems beyond lost revenue and damage to a company’s reputation. Expired certificates open the door to a number of potential hacks such as man-in-the-middle exploits. In one study, 58% of organizations that suffered a data breach attributed the cause to avoidable certificate management issues. 

 

In fact, the root cause of the second largest data breach ever recorded – Equifax, which affected 143 million people – was an expired digital certificate on a monitoring device. The lesson here is that companies should not ignore renewal requirements for internal, private trust certificates just because they’re not customer-facing.

 

The process of updating a digital certificate is in itself not difficult, but for large companies that may have thousands of certificates to manage, the task is not trivial – and many companies are failing to handle it.

 

At scale, obtaining visibility into where a company’s digital certificates are located, what their validity status is, and which CA issued them is a daunting task. Then there is the process of replacing them, which includes revoking those that are about to expire, obtaining validation of domain ownership from the CA, and ultimately deploying new, valid certificates. 

 

Automation: An Alternative to Manual for Large Companies

When the 90-day validity time frame takes effect, all of these steps will be required once every quarter for every certificate. For security teams that are already overworked, automation is one approach that makes sense. A manual approach could mean creating a dedicated team.

 

With Google’s backing, a 90-day validity period for digital certificates is almost certain to take effect soon. And while the new time frame does mean increased work and responsibility for security teams, it also brings significant benefits in light of continuing rapid advances in hacker techniques.

 

Instead of encrypting data with out-of-date algorithms and thereby risking the exposure of key information, security teams will have the algorithms and encryption protocols in place. And if they deploy automation, they’ll also be sure that expired certificates no longer fall through the cracks. The net result will be a much lower risk of service outages, and better protection against threats.

 

While the Google 90-day TLS certificate validity proposal aims to increase online security by reducing the potential abuse window of certificates, it brings about operational challenges, especially for companies handling renewals manually. 


Contributors
Murali Palanisamy

Chief Solutions Officer, AppViewX

Identity

authentication identity management & governance access control key management Encryption

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs