The CA/Browser Forum has officially voted to amend the TLS Baseline Requirements to set a schedule for shortening both the lifetime of TLS certificates.
My experience is that orgs that don’t bother checking logs are also likely to buy long duration certs. And it’s also frequently a simple FTP drop or something, they’re not taking the time to actually verify things properly.
I also haven’t seem evidence of attackers compromising certificates themselves, if they have the access to do that, they’ll just steal the data they want or install some kind of backdoor for later use.
There is plenty of data on compromised certs. I mean if you steal a cert you essentially steal the identity of that server.
I’m just saying before that you had admins connecting from time to time to the server while deploying but after that change it could be years before someone connects. Cert deployment IMO is often one of the last maintenance that is not automated and one of the hardest to automate both safely and reliably.
But for a business that handles it that way it’s just straight up an upgrade in security to have shorter certs.
I just hope that automation doesn’t bring new vulnerabilities… Otherwise we get safer cert but poorly secured automated PKI to create the certs?
I mean if you have a fully automated cert deployment it could be months with a compromised system and you probably wouldn’t see it.
I don’t know how effective this will be. It still seems short even if it starts in 2029.
How does manual cert generation impact that?
My experience is that orgs that don’t bother checking logs are also likely to buy long duration certs. And it’s also frequently a simple FTP drop or something, they’re not taking the time to actually verify things properly.
I also haven’t seem evidence of attackers compromising certificates themselves, if they have the access to do that, they’ll just steal the data they want or install some kind of backdoor for later use.
There is plenty of data on compromised certs. I mean if you steal a cert you essentially steal the identity of that server.
I’m just saying before that you had admins connecting from time to time to the server while deploying but after that change it could be years before someone connects. Cert deployment IMO is often one of the last maintenance that is not automated and one of the hardest to automate both safely and reliably.
But for a business that handles it that way it’s just straight up an upgrade in security to have shorter certs.