Skip to main content

A change in Safari will soon prevent website owners from using TLS certificates for longer than 13 months

Safari search bar iPhone X
Safari search bar iPhone X (Image credit: iMore)

What you need to know

  • Safari will soon warn users of websites whose TLS/SSL certificate is more than 398 days old.
  • The change kicks in for certificates issued from September 1st.
  • Some websites currently use multi-year certificates.

Soon, Safari will warn users when a website they're visiting is using a TLS/SSL certificate that is valid for more than 398 days. The certificate doesn't need to have expired, either. Any certificate that was valid for more than 398 days when it was issued will automatically be flagged by the browser.

This comes following the 49th CA/Browser Forum in Slovakia, with The Register reporting that the aim is simple – ensure that web developers are using the latest certificates and technology available. Before this move, developers could asign certificates for multiple years, potentially using technology that is long out of date.

The aim of the move is to improve website security by making sure devs use certs with the latest cryptographic standards, and to reduce the number of old, neglected certificates that could potentially be stolen and re-used for phishing and drive-by malware attacks. If boffins or miscreants are able to break the cryptography in a SSL/TLS standard, short-lived certificates will ensure people migrate to more secure certs within roughly a year.

But it isn't all good news, although those likely to face issues are those in charge of websites themselves. They probably aren't all that keen on the idea of being forced to update their certificates sooner than was previously required. Tim Callan, of SSL management firm Sectigo, told The Register that more certificate replacements means an increased chance of something going wrong.

Companies need to look to automation to assist with certificate deployment, renewal, and lifecycle management to reduce human overhead and the risk of error as the frequency of certificate replacement increases.

Currently, both GitHub and Microsoft use two-year certificates, with microsoft.com set to be renewed in October. If Microsoft continues its two-year policy, expect to see Safari tell you that the website isn't secure.

Oliver Haslam
Oliver Haslam

Oliver Haslam has written about Apple and the wider technology business for more than a decade with bylines on How-To Geek, PC Mag, iDownloadBlog, and many more. He has also been published in print for Macworld, including cover stories. At iMore, Oliver is involved in daily news coverage and, not being short of opinions, has been known to 'explain' those thoughts in more detail, too.

Having grown up using PCs and spending far too much money on graphics card and flashy RAM, Oliver switched to the Mac with a G5 iMac and hasn't looked back. Since then he's seen the growth of the smartphone world, backed by iPhone, and new product categories come and go. Current expertise includes iOS, macOS, streaming services, and pretty much anything that has a battery or plugs into a wall. Oliver also covers mobile gaming for iMore, with Apple Arcade a particular focus. He's been gaming since the Atari 2600 days and still struggles to comprehend the fact he can play console quality titles on his pocket computer.

3 Comments
  • Bah, this is stupidity. It is a pain to obtain and install these certificates.
  • It depends on the web server and the certificate, the Let's Encrypt ones are very easy to install.
  • Hey Lori it’s time to update this article. Seems out of date. Love you and Rene by the way. Watch MacBreak every week for as long as it’s been on.