Once again Let's Encrypt and it's incredible staff have raised the "security bar" a bit higher. And this move has is being acknowledged in "security circles" worldwide.
The latest Feisty Duck Newsletter published:
Let’s Encrypt started enabling multiperspective validation, meaning that domain validation will be checked from multiple, internationally distributed points of the internet. Multiperspective validation has been developed as a defense against BGP hijacking and other network layer attacks against domain validation.
I think this was announced by Let's Encrypt Engineer @CPU earlier this year before his retirement announcement.
Thanks @cpu for your contributions. I for one will miss your presence here.
Also the newsletter points out that:
One-Year Certificate Lifetimes are Coming
During a recent meeting of the CA/Browser Forum, Apple announced that its Safari browser will not accept certificates with a lifetime of more than 398 days starting in September of this year. With this announcement, Apple moves ahead with the shorter certificate lifetimes that multiple browsers have wanted for a while.
Shorter certificate lifetimes were championed by Let's Encrypt and now the Internet follows!
Thanks @staff for what you do for the betterment and security of all the rest of us.
This is where I will disagree on the last part of your comment. I am all for standardizing shorter lifetimes and agree that the LE community and techs have made things so much better in that regard. However, that announcement comes in the wake of a CA/B Forum ballot back in September that was seeking to lower the max Certificate lifetime to 1 year. The ballot failed and so Certificate lifetimes were not subject to change. Apple’s announcement defies the very purpose of having the CA/B Forum in the first place. What good is a ballot if one of its members is going to force their agenda anyway?
The Certificate Authorities blocked the ballot twice when 100% of browsers were in favor of it, they would have likely blocked it a 3rd and maybe a 4th time. The CA’s are motivated by $ because they can sell the 2 year certificates for a higher price and they help differentiate them from free CA’s (2 year certs are 8x longer than 90 day certs, compared to 1 year certs being 4x as long).
At some point the browsers had to put their foot down, they are clearly the ones holding all the power and calling the shots.
Regardless, this thread probably isn’t the place to debate the merits of CA/B and Browser policy changes.
Right. And I can understand their arguments too. As a support tech for my company, I hear customers complain about having to renew their Certs every 2 years. There are many who prefer convenience over security. I was actually in discussions with other SSL SMEs and we were talking about the possibility of offering lifespan packages and building automation for renewing Certs for the lifespan package.
Well, those of our customers with OV/EV Certs will still have to redo their validation every year, so it’s not completely seamless. We partner with a CA to provide the option for our customers.