14 DAY TRIAL // Google and Mozilla are working on changing the way they handle long-lived SSL certificates in their browsers. Google has already announced that, starting next year, Chrome will reject certificates that have a validity of more than 60 months.
Mozilla is contemplating doing the same in Firefox and has already opened a Bugzilla entry on it. These restrictions would only apply to certificates issued after July 1, 2012.
Google has made the decision in order to enforce that certificates respect the new Baseline Requirements, which specify a maximum validity period.
“As a result of further analysis of available, publicly discoverable certificates, as well as the vibrant discussion among the CA/B Forum membership, we have decided to implement further programmatic checks in Google Chrome and the Chromium Browser in order to ensure Baseline Requirements compliance,” Google's Ryan Sleevi explained.
Google believes that certificates like these are inconsistent with the valid standards and, as such, it will label them as invalid. The company hopes that this will discourage the practice and encourage better conformance with the established practices.
“By reducing the window of trust established, Google has acknowledged that certificates are first and foremost security instruments that are now under attack. As a result, industry standards are being suggested to renew the certificates more frequently to better protect against the quickly evolving threat landscape," Jeff Hudson, CEO of Venafi, commented on the move.
“As recent threat trends have proven, certificate and cryptographic key-based attacks are on the rise. The lack of visibility and control over the hundreds and thousands of keys and certificates that exist in enterprise networks has provided ample attack-surface real estate for cybercriminals," he added.
Mozilla hasn't made a decision on the matter yet, but the issue is in active discussion and it is likely that Firefox will implement similar restrictions.