Apple is tightening Safari’s HTTPS certificate validity policy beginning September 1

Apple’s Safari browser for iPhone, iPad and Mac will begin enforcing a tighter certificate policy starting September 1 in an effort to boost the security of websites using the HTTPS protocol.

HTTPS, which we use on iDB as well, encrypts all communication between the website and a web browser, including user names and passwords. Conversely, non-HTTPS websites don’t encrypt traffic so everything gets sent in plain text, making eavesdropping a possibility.

The company made the announcement at the 49th CA/Browser Forum last week.

According to The Next Web today, the Apple browser will begin rejecting any HTTPS certificate valid for more than thirteen months beginning September 1, 2020.

Any certificate issued after September 1, with more than 398 days of validity, will be rejected by Apple‘s browser. That means, when you visit a site with such a certificate, you’ll see a privacy warning. However, as a developer, if your website’s certificate was issued prior to September 1, you won’t be affected.

The move may impact websites like GitHub and Microsoft with two-year certificates. A lot of companies buy two-year certificates so it’ll be interesting seeing what could be done to avoid HTTPS websites stop working after the first year. To reiterate, the upcoming Safari change won’t affect websites with a certificate that was issued prior to September 1, 2020.

When Apple begins enforcing its new certificate policy in Safari come September 1, the browser will start preventing from loading any websites that have a security certificate issued more than 13 months ago. Back in 2017, certificate authorities started issuing certificates with up to 825 days of validity, down from more than five years of validity before.

“For end-users, this means that the sites you’re visiting have the latest encryption and security standards to keep your data private,” the article notes.

A security developer called this a step in the right direction from a security standpoint because browsers often don’t check a certificate’s validity in order to speed up a website’s loading time.

What are your thoughts on this certificate policy change in Safari?

Let us know by sharing your thoughts in the comments down below.