TLS Certificate Risks
We have included a new risk in FractalScan, which can be used to help you prepare for pending changes to how web browsers will handle certificates with a lifespan of more than 90 days.
Currently, the industry standard for web browsers is to enforce a validity period of 398 days for TLS certificates. If certificates fail the validity period check, it means that someone browsing to a web site using this certificate would be presented with a security warning.
Google are in the process of implementing a change to reduce this down to 90 days. The aim of this proposal is to improve online security by encouraging more frequent certificate renewals. This change has not yet been implemented but is expected to happen towards the end of 2024.
To help prepare for this change, FractalScan now raises a medium severity risk if a certificate is identified with a validity period of over 90 days.
This makes it is easy to identify these certificates and take action to reduce their validity period. The best approach for this is to use an automated certificate lifecycle management tool, which automatically create and deploy new certificates on a regular basis.