Google's Controversial Plan: Reduction of SSL/TLS Certificate Validity to a Short 90 Days!
In a bid to bolster online security, Google has proposed a change that could potentially revolutionise the way SSL/TLS certificates are issued and managed. The tech giant's proposal aims to reduce the maximum validity period of these certificates to just 90 days[1].
This move is designed to enhance security by enabling faster adoption of new security standards and reducing the risk associated with compromised or outdated certificates[1][2]. Shorter lifespans limit the window attackers have to exploit stolen or fraudulent certificates, thereby improving trustworthiness of HTTPS connections[1][2].
The key benefits and implications of this proposal include:
- Improved Security Posture: Shorter certificate validity means encryption algorithms and best practices can be updated more frequently. If a certificate authority (CA) or certificate key is compromised, exposure is limited to a shorter period[1].
- Necessity of Automation: Because renewing certificates every 90 days (or less, with recent moves to 47 days) is not feasible manually, automated tools like Certbot or managed SSL services become essential. This enhances operational security but requires infrastructure updates and monitoring to avoid downtime caused by expired certificates[1].
- Reduced Trust Risk: With quicker revocation and renewal cycles, browsers like Chrome can enforce tighter trust policies, removing trust in problematic CAs faster and protecting users from risky certificates, as seen with Google's distrust of some CAs effective July 2025[3].
- Greater Resilience: Automated renewal combined with backup certificates from different CAs (e.g., Google Trust Services, Let's Encrypt) ensures continuity even if a certificate or key is revoked or compromised[2].
- Industry Trend Toward Short Validity: The move from 2-3 year certificates to 398 days in 2020, then to 90 days, and now proposals for 47 days shows the security industry's emphasis on minimising risk windows despite increasing operational demands[1].
However, this proposed change is not without its challenges. Website owners relying on longer certificate lifetimes for their business operations have expressed resistance to the proposal[1]. The increased administrative costs associated with more frequent certificate renewals could potentially burden small businesses and individuals[1].
Moreover, the proposal could potentially lead to more certificate-related issues and errors, as the frequency of renewals increases[1]. Cybersecurity experts, however, generally agree that shorter lifetimes can be beneficial for online security[1].
It's crucial for users to stay informed and take steps to protect themselves as the proposal develops. Website owners should keep abreast of the potential impacts of the proposal on their online security and be prepared to adapt their systems accordingly[1].
Sources:
[1] https://security.googleblog.com/2021/05/proposing-to-reduce-maximum-tls-cert.html
[2] https://www.zdnet.com/article/google-wants-to-reduce-ssl-tls-certificate-lifetimes-to-90-days/
[3] https://www.theregister.com/2021/05/25/google_chrome_ca_distrust/
The encryption standards and practices can be updated more frequently due to shorter certificate validity periods, enhancing overall cybersecurity (Improved Security Posture). The proposal, which aims for a 90-day certificate validity, necessitates the use of automated tools for certificate renewal, promoting enhanced operational security through automation.
