Why cant Google stop meddling

easyhostmedia

Well-known member
Why cant Google stop meddling

A planned CA/B Forum ballot would cap the max validity of SSL certificates at 397 days

Stop me if you’ve heard this one before: the max validity for SSL/TLS certificates could be shortened in the near future. Once it was eight, then five, then three, then two. Now it could be one.

In the coming days or weeks Google’s Ryan Sleevi will introduce a ballot at the CA/B Forum that will cap the maximum validity for SSL/TLS certificates at just one year starting in March 2020. This isn’t the first time this initiative has come up, and if it doesn’t succeed it’s undoubtedly not the last time, either.

So, today we’re going to talk about certificate lifespans, max validity and what this CA/B Forum ballot can tell us about the direction the industry is headed in the future.

Let’s hash it out.

The post One Year Certificate Validity is about to be on the ballot again appeared first on Hashed Out by The SSL Store™.
 

bigredseo

HD Community Advisor
Staff member
I've mixed feelings on this, but I don't htink going to one year is a bad thing. In fact, I'd push this to be the same with Domains (1 or 2 year renewals). Having shorter lifespans shows that the company (or domain) still has interest in retaining the domain. if they don't, then release it back to the public and let someone else take a shot at the name.

I'm sure SSLs don't operate in the same regard - an encryption on a 2048-bit SSL (according to digicert) would take over 6.4 quadrillion years to break. So it's not that it would be "hackable" within a 1 or 2 year time frame.

The bigger advantage to a shorter span comes when someone is trying to revoke a certificate. If someone gained access to my private key, they would then essentially be able to say they are me. And there's no way to prevent that person from continuing to say they are me until the certificate expires.

When you think about banks, paypal, google or any of the major platforms, if someone leaked a key, they would be completely exposed.

Or the case of Symantec and the distrust issued a couple years ago. If a CA becomes untrusted, a person with a 2 year certificate is pretty much screwed and needs to purchase elsewhere.

For this reason, I can see why a shorter period is encouraged.
 

easyhostmedia

Well-known member
I've mixed feelings on this, but I don't htink going to one year is a bad thing. In fact, I'd push this to be the same with Domains (1 or 2 year renewals). Having shorter lifespans shows that the company (or domain) still has interest in retaining the domain. if they don't, then release it back to the public and let someone else take a shot at the name.

I'm sure SSLs don't operate in the same regard - an encryption on a 2048-bit SSL (according to digicert) would take over 6.4 quadrillion years to break. So it's not that it would be "hackable" within a 1 or 2 year time frame.

The bigger advantage to a shorter span comes when someone is trying to revoke a certificate. If someone gained access to my private key, they would then essentially be able to say they are me. And there's no way to prevent that person from continuing to say they are me until the certificate expires.

When you think about banks, paypal, google or any of the major platforms, if someone leaked a key, they would be completely exposed.

Or the case of Symantec and the distrust issued a couple years ago. If a CA becomes untrusted, a person with a 2 year certificate is pretty much screwed and needs to purchase elsewhere.

For this reason, I can see why a shorter period is encouraged.

but google should get their own house in order before meddling in other things
 

easyhostmedia

Well-known member
Oh, I agree. But you have to start somewhere. Sometimes it's easier to fix things from the outside looking in.

but the SSL system is not broken which the google system is.

over recent years google has

1) blocked games/apps from Google Chrome that use Unity
2) discontinued Google Checkout in favour of Google Wallet for digital goods
3) discontinued Google Wallet for digital goods in favour of Google Pay
4) discontinuing Google Pay.

to me it looks like they want to place all their resources into Android and are slowly closing down all their windows enabled services.

Next they will discontinue Google Chrome and Google Search Engine
 
but the SSL system is not broken which the google system is.

over recent years google has

1) blocked games/apps from Google Chrome that use Unity
2) discontinued Google Checkout in favour of Google Wallet for digital goods
3) discontinued Google Wallet for digital goods in favour of Google Pay
4) discontinuing Google Pay.

to me it looks like they want to place all their resources into Android and are slowly closing down all their windows enabled services.

Next they will discontinue Google Chrome and Google Search Engine

I dont think these are broken systems, i think many of the changes we are seeing in google such as the ones above are related are their way of scraping something that didn't work and replacing it. As for the android thing they I think this is a result of many factors the biggest facebook. Search and search revenue (ads) is moving more to mobile, facebook is doing a tremendous job as sidelining as a business portal which is hurting google. Even their changes to Gmb are starting to look more like a SM platform than a business listing ( why they bombed G+ ).

Perhaps when they had monopoly they could afford to let less profitable projects do their thing but i think this space is too competitive now to have low hanging fruit.

"it may be unlikely that Google puts a policy into place that the industry disagrees with." Loved this line from the article though. Google will do whats best for Google they are a business first, search engine second
 

easyhostmedia

Well-known member
I dont think these are broken systems, i think many of the changes we are seeing in google such as the ones above are related are their way of scraping something that didn't work and replacing it. As for the android thing they I think this is a result of many factors the biggest facebook. Search and search revenue (ads) is moving more to mobile, facebook is doing a tremendous job as sidelining as a business portal which is hurting google. Even their changes to Gmb are starting to look more like a SM platform than a business listing ( why they bombed G+ ).

Perhaps when they had monopoly they could afford to let less profitable projects do their thing but i think this space is too competitive now to have low hanging fruit.

"it may be unlikely that Google puts a policy into place that the industry disagrees with." Loved this line from the article though. Google will do whats best for Google they are a business first, search engine second

They stopped GC many years ago ( you needed an SSL to use GC) and CW only lasted a year as when they changed from GC to GW they stopped many businesses from using GW that were using GC. one main industry was web hosting as it was not deemed a digital service so could not use GW. Then they brought out Google Pay as the payment service of their Android platforms Google Play service. Now they offer Android Pay.

I had several business apps on my PC and tablet that used Unity, then one day they started to fail as without warning google blocked Unity from Chrome.

so they should be getting their own house in order before meddling with something that is no broken
 
They stopped GC many years ago ( you needed an SSL to use GC) and CW only lasted a year as when they changed from GC to GW they stopped many businesses from using GW that were using GC. one main industry was web hosting as it was not deemed a digital service so could not use GW. Then they brought out Google Pay as the payment service of their Android platforms Google Play service. Now they offer Android Pay.

I had several business apps on my PC and tablet that used Unity, then one day they started to fail as without warning google blocked Unity from Chrome.

so they should be getting their own house in order before meddling with something that is no broken

Yea look i am not disagreeing with you in the aspect that Google needs to get their house in order. I just think alot of what they do is driven by profit one example is how they are promoting business directories over small businesses with specialised pages on a certain topic. When google claims that "content is king". Often times those listings are empty but they show up before a established business.

They are saying get on adwords or compete in a directory. Obviously your story is more related to what you do, this is mine and it makes me mad. I certainly do not have any questions about googles moral compass being non existent. Even shutting down google plus there were uses who had quite a bit of content and connections on there for many years... and now its gone. They don't care.

So I can easily believe they would do something with SSL if its to THEIR benefit and not necessarily ours. Then again Google doesn't owe us anything.
 

ughosting

HD Community Advisor
Staff member
Actually, the biggest threat to certificates is that the server on which the private key sits is compromised and the keys get stolen.

Also, remember that google's interest is not only websites/browsers but also mobile apps/api servers.

By making the service providers rotate their keys more often they are reducing the window that a stolen certificate key/pair may be used to forge or masquerade as something/someone else.

There's still the obstacle of getting your fake site to respond to the URL of the genuine site, but you can do that anywhere people are using WiFi provided by others.

I'm involved with personal data apps, and we bake 3 certificates into each app, incase the api-server gets compromised we can rotate to another certificate without the clients having to be updated.

Should we ever be compromised, we would then purchase another certificate and rotate the compromised one out with the next client release. Along with the normal revocation of the certificate.
 

ughosting

HD Community Advisor
Staff member
I believe that 30 days would be far to short as you can not expect app developers etc to produce a new version is such a short time.

I think LetsEncrypt have got it about right for the shortest time.

I personally think the current 2 years to be OK!

The certificates I mentioned above are staggered so they expire at different times.

I think on the whole, the mark-up on an SSL cert will be less for a shorter certificate lifetime, but you will get to charge the customer more often.

This will actually benefit you cash flow wise!

Automation of renewal is the way to go!

Why other cert providers cannot do what LetsEncrypt has done, is the real question!
But then that would really cut out the middle man.
 
Top