Apple, Google push for 47-day SSL certificate expiry

Apple and Google are pushing for a major reduction in SSL certificate lifespans, a move that many in the tech world see as more about driving automation than improving security.

SSL/TLS certificates, which authenticate websites, currently last around 398 days.

Google has proposed reducing the lifespan to just 90 days, while Apple wants certificates to expire every 47 days by 2028. 

If adopted, IT departments would have to renew certificates every six weeks instead of once a year, a significant increase in workload.

The idea behind this change is to combat “orphaned domain names” — domains left unused when companies abandon products or plans. Cybercriminals can hijack these abandoned domains to launch phishing attacks. 

However, security experts like Jon Nelson from Info-Tech Research Group argue that the new expiration periods won’t stop attackers. “47 days is a world of time for me as a bad guy,” he said, noting that it’s enough time for criminals to exploit compromised certificates.

Himanshu Anand, a researcher at security vendor c/side, agrees, suggesting that even more frequent updates would be needed to make a real difference.

Still, many experts question whether orphaned domains are a significant problem for most businesses, with Nelson pointing out that compromised certificates are not among the top security concerns companies face.

RELATED: Nvidia’s RTX 5070: The Secret Catch Hiding in the Deal

The real impact, experts say, will be felt by IT departments, which will face an enormous increase in workload. Certificate renewal is currently a manual process, but with more frequent updates, companies will likely turn to automation. 

Nelson believes the push for shorter lifespans is more about encouraging companies to purchase automation tools than enhancing security. “It’s a cash grab,” he said.

Larger organizations like Hearst are already preparing for the changes by adopting automated solutions. CIO Atti Riazi pointed out that while automation can streamline the process, it’s crucial to have strict controls in place to avoid introducing new risks.

Despite the push for faster certificate updates, some experts remain skeptical. Alex Lanstein from StrikeReady said, “There is zero chance the 45 days will happen.”

The debate continues, but one thing is certain: certificate management will soon become more frequent, and IT departments will need to adopt automated solutions to keep up.