Shulou(Shulou.com)06/01 Report--

Last week, at the CA/ browser (CA/ Browser) Forum in Slovakia, Apple announced that in order to improve network security, any new website certificate valid for more than 398 days from September 1, 2020 will not be trusted by Safari browsers, but will be rejected. In addition, older certificates issued before the deadline (September 1, 2020) are not affected by this rule.

The release of the policy means that using websites that use biennial SSL/TLS certificates after the deadline will cause privacy errors in Apple's browsers, and all certificates need to be renewed annually to maintain Safari's trust. (note: all SSL/TLS certificates issued before September 1, 2020 are not affected by this policy)

The purpose of Apple's policy is to improve the security of the website by ensuring that developers use certificates of the latest encryption standards, and to reduce the number of neglected old certificates, which may be stolen. And used for phishing and drive malware. If researchers or criminals can crack passwords in the SSL/ TLS standard, short-term certificates will ensure that people migrate to more secure certificates in about a year.

The browser giant is gradually shortening the validity period of certificates.

In August 2019, Google proposed at the CA/Browser Forum meeting to shorten the validity period of the HTTPS certificate from 27 months to 13 months. Finally, CA/Browser Forum voted down the proposal, and the SSL certificate is still valid for up to 2 years.

It is reported that Apple, Google and other members of CA/Browser have been considering shortening the validity of certificates for some time. They hope to force webmasters to update their certificates with the latest encryption technology by rejecting old security certificates, instead of using old, less secure certificates, which will also help reduce the impact of certificates that administrators do not know may have been compromised.

According to the latest data from W3Counter, the market share of Safari browsers was 17.7% as of January 2020. Second only to Google Chrome (58.2%).

Certificate management will face great challenges

Shorten the validity period of the certificate, by increasing the frequency of certificate replacement, the management cycle of website owners and enterprises using encrypted certificates becomes more complex. For many companies that rely on digital certificate protection systems, it will bring huge costs and greatly increase the burden of enterprise operation and maintenance managers. The consequences caused by the expiration of SSL/TLS certificates will be unimaginable!

Adverse effects of expired SSL/TLS certificates:

△ damages the SEO ranking of corporate websites

△ websites are under high security threat: data and sensitive information are stolen, tampered with, and middlemen.

The credibility and brand image of △ website bring great negative influence.

Unexpected interruption of enterprise business caused by the expiration of △ certificate, unable to operate normally, and bear the loss of funds

Audit failures or violations caused by improper certificate / key management in △

Figure: Safari browser website certificate expiration style

Nowadays, certificate management is becoming the main burden of enterprises. The larger the enterprise is, the more serious the management problem is.

How to manage certificates effectively?

Do not know when the certificate will expire? Do not know how many certificates and keys there are? How to avoid the pain point of certificate management? How will companies respond when Apple's Safari certificate validity policy takes effect?

Asia Integrity advice: through a high-quality certificate management platform, you can rely on automated management to assist in certificate deployment, update and life cycle management, so as to reduce personnel costs and the risk of errors as the frequency of certificate replacement increases.

Certificate Intelligent Management Software (CertManager) arises at the historic moment.

CertManager is a leading certificate lifecycle intelligent management system that integrates automatic certificate application, deployment, detection, discovery, monitoring, management, alarm, update and certificate brand switching. Designed according to the draft TLS server certificate management industry standard formulated by the National Institute of Standards and Technology (NIST), through the enterprise information pre-audit mechanism, and CertManager's outstanding adaptability to the deployment environment, provide OV/EV certificate one-click application, automatic deployment, certificate brand rapid switching and so on.

Provide one-stop certificate management closed-loop service to help enterprise users manage SSL certificates and private keys securely and compliantly. It can effectively avoid the consequences such as capital loss and brand damage caused by the expiration of the certificate. Uniformly manage the deployment and update of certificates for gateway / load devices, cloud services and WebServer, and provide OpenAPI to interface with operation and maintenance systems. At the same time, help enterprises to quickly put service online, reduce labor costs, and avoid production accidents caused by human errors.

Automatic issuance of ✔ certificates

Enterprise information pre-examination mechanism to achieve automatic issuance and rapid acquisition of OV/EV certificates

✔ certificate deployment

Uniformly manage the deployment and update of certificates for gateway devices, cloud services and WEB SERVERS, and provide OPENAPI to interface with the operation and maintenance system

✔ certificate detection

CAA Statistics report, DN/SAN Compliance report, weak key Statistics

✔ private key protection

White box algorithm reinforcement, keyless, security gateway and short certificate are optional to protect the security of the private key.

✔ monitoring alarm

Continuously monitor certificate status and alarm abnormalities

✔ brand switching

When CA trust is compromised, certificate brands can be quickly switched.

✔ user Management

Role-based access control, administrators, operators, and auditors

✔ Certificate Discovery

For certificates that have been deployed by the enterprise, you can scan the enterprise network segment and manage the discovered certificates

In order to help corporate users deal with the certificate validity policy of Apple Safari browser calmly, Asia Integrity has launched a 24-hour online consulting service to answer your questions and provide you with efficient and secure solutions.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.