Google has announced that it will be adopting a shorter lifespan for Transport Layer Security (TLS) certificates, reducing it to 90 days. TLS certificates, also known as Secure Sockets Layer (SSL) certificates, are used to ensure secure browsing and transactions by authenticating the validity of a website. This move by Google comes as part of a wider effort by browser operators, including Apple, Microsoft, and Mozilla, to reduce certificate lifespans in order to enhance security.
In the past, TLS certificates were effective for more than a year, with some even lasting up to 10 years. However, as cybercriminals become more sophisticated, these long-lasting certificates are no longer sufficient to protect against their attacks. By adopting a shorter lifespan, Google aims to ensure that websites are constantly updating their certificates, thus mitigating the risk of expired certificates becoming a vulnerability.
Expired TLS certificates not only present a cybersecurity risk, but they can also cause service outages. When a certificate expires, connections to the website are no longer considered private and communication is no longer secure. This can discourage users from completing their transactions or even accessing the website at all. Major enterprises, including Shopify, Cisco, Starlink, and Microsoft, have all experienced service outages due to expired certificates.
Managing the lifecycle of TLS certificates is an ongoing challenge for administrators, particularly for large organizations that may have thousands of certificates to manage. A survey found that the average enterprise manages more than 50,000 certificates, with this number increasing by over 43% annually. With the increasing reliance on cloud-based assets and automation, certificate management is crucial for the smooth operation of enterprises.
To effectively manage TLS certificates, several best practices are recommended. Firstly, gaining visibility of all certificates is essential. Regular scanning can help identify existing certificates and discover new ones that need to be accounted for. It is important to generate a central inventory that includes details such as location, expiration date, and the certificate authority that validated them.
Tracking use-by dates and implementing automation can ensure that certificates are renewed or automatically renewed in a timely manner. This helps to prevent certificates from expiring and causing disruptions. Enforcing encryption standards is also crucial to ensure the security of the infrastructure. Analyzing certificates for indicators of weak or outdated encryption can help identify and upgrade insecure standards.
Establishing governance and implementing policies for public key infrastructure (PKI) governance is important for managing certificates effectively. This includes regulating permissions, simplifying auditing, and creating procedures for creating audit trails and reports. Finally, securing private keys is vital, as they are the master locks that protect sensitive information. Saving them in encrypted software or certified hardware security modules (HSMs) can provide better protection.
Google’s decision to shorten TLS certificate lifespans to 90 days will present an additional challenge for administrators already struggling with certificate management. However, automating certificate lifecycle management (CLM) processes can help streamline the process and reduce the risk of costly business outages. As more certificate authorities and browser vendors embrace shorter certificate lifespans, CLM will remain a key concern for administrators looking to enhance security and ensure the availability of their websites and services.