Safari Ignores Certificate Expiration Over 1 Year and Arbitrarily Chooses 398 Days Instead

June 22, 2020

Post by Robert Hansen

Before I start, let me apologize ahead of time for the excessive amount of snark that is sure to follow. Okay, ready? Here we go.

The browsers are at it again—this time it’s Apple’s turn to shake things up.  Similar to how Google decided to mark any HTTP site as unsafe, Apple has decided to mark any SSL/TLS cert that’s over 398 days old as invalid. Cue the DevOps team rolling their eyes as they adjust their cron jobs respectively.

Why is Apple doing this? They have two reasons according to this Digicert article. The first is a hand-wavy answer which is that it will “protect users”.  Okay… so users will be protected… from what exactly? Well apparently, the concern is that certs are taking too long to expire so bad certs stay around longer. This is, of course, complete and utter nonsense. Certificate revocation is a well-documented standard, so we can ignore this answer completely. Also, the adversary has whatever portion of a year is left to do their criminal acts—not exactly a huge win.

The second is a bit less of a red herring—Apple wants to make sure certificates have more up to date information in them. Why? I have literally no idea. But at least it’s true, webmasters will need to update their certs on a more regular basis… with the exact same information they had always been using via their cron jobs. So… not exactly a huge savings. No one is going to interrupt their cron job and say “Hey, team, our administrative contact has changed, let’s fix this.” Once things like this are set, no one ever looks at them. Expect this to continue to be the case. DevOps being lazy is a fact of life, and no amount of messing with expiration dates is going to change this, except the one time they have to lift their head to fix their stuff to appease the browser community.

So yeah, if you couldn’t tell, I’m not exactly thrilled by this new arbitrary browser addition that saves literally no one from anything. I have never been a fan of companies not respecting the wishes of webmasters—especially when it drives up the cost of an already nominally useful feature on the best day. But this is coming from the guy who found 24 issues in the browser implementation of HTTPS. So, take it with a grain of salt.

It’s not just that Apple’s change is a minor nuisance, it has a very real downside. If your site’s certificate is older than 398 days (can you hear my head hitting the table at that weird number right now?) then your site will be inaccessible by a browser that currently has around 18-22% of the browser market depending on which stat you read. However, the fine folks at Apple have given you a grace period. Apparently, Apple will give certs that are registered up to September 1st of 2020 a total of 825 days or 2.26 years (can you hear my head banging on my desk again?) of a grace period.

This silliness will definitely cause massive random/sporadic outages as people learn the hard way, that their site is no longer accessible but only on some browsers. That’ll be fun to debug. Even in the best case, DevOps will be scratching their heads trying to learn how to write cron jobs that are slightly longer than a year in duration—pro-tip, you really can’t easily. So just use a year to be “safe”, assuming next week they don’t decide to change it to 42 days for no reason whatsoever.

It’s unclear how the CAs will react. Will they discount the cost of all certs accordingly since now they only last a year? Will they give money back to the owners of the certs where Apple arbitrarily stops respecting them before their expiration? Will the CAs re-use the background checks they do for EV certs for multiple certs in a row or require them every year? So many unanswered questions for such a non-issue. Where one browser company comes up with strange, non-compliant draconian rules, others usually follow. So, expect more of this. Don’t say I didn’t warn you.

This really is where asset management can help you—you can find your certs that are out of date or that will expire by whatever arbitrary date you want to set. But if you don’t, you should expect outages to occur until this all gets dealt with. The only saving grace is any certs you have in place now will survive 825… and some random number of days which is the delta between now and September 1st 2020 (banging my head again). So, this isn’t a dire emergency yet, but it’s coming and your long-lived certs that were chugging along will no longer be respected by Apple.

Some more external links on this topic:

Get Ready for 1 Year SSL Cert Maximums

Today’s Big News: One-year Max Public TLS Certs are coming, Starting 1 Sept 2020