Web body mulls halving HTTPS cert lifetimes.
CA/Browser Forum – an industry body of web browser makers, software developers, and security certificate issuers – is considering slashing the lifetime of HTTPS certs from 27 months to 13 months.
The plan, floated at a meeting by Googler Ryan Sleevi earlier this year and still in its draft stages, comes just one year after the lifetime maximum for certificates was lowered from 39 months to 27 months. There is no word yet on when a vote may take place. HTTPS certificates are, essentially, used to encrypt connections between browsers and sites, and help software determine that no one is tampering with or eavesdropping on those connections.
By reducing the amount of time a TLS/SSL certificate is valid, websites must renew their certs more often. This will, it is hoped, force them to use certificates with the latest and greatest recommended cryptography and hashing, rather than hang onto aging certs that use insecure algorithms. The short lifespan could also, in theory, help to cut down on fraudulent activity, as stolen certs would become useless sooner, and abandoned sites would see their certs expire faster.