Apple to mark valid certificates invalid

After Chrome and Firefox decided that knowing you were really at your banks website, when you do online banking, wasn’t really that important…

Now Apple has decided that still valid certificates with a lifetime of more than 398 days (standard is up to ~860 days), will be marked as invalid.

They say it is because old, abandoned certificates can be used for phishing sites and older certificates can use outdated encryption.

The fact that abandoned / exposed certificates can be revoked seems to have slipped Apple’s mind. But, hey, Google doesn’t bother checking for revoked certs either. To make their programmers lives easier, sorry, to make users safer, they want to offload the burden onto the site owners instead.

This is fine for sites only worried about having a valid certificate to encrypt the communication (blogs etc.), which can use the likes of Let’s Encrypt to get automatic (unchecked) certificates - they only worry about whether you have write access to the domain you are registering, not whether the domain is “valid” or you are who you say you are.

For sites where a little more security is required (banking, shopping, cloud platforms, social media etc.), that means more expense and more work… Just because checking revoked lists is too much like hard work™.

Edit: And it doesn’t make sense anyway. If my certificate gets exposed in the first month after issuance, that still leaves 11 months when Apple will accept it as valid…