Multi-Year SSLs No Longer Trusted, Keeping The Web Safer

Multi-year SSL banner
Table of Contents

When you browse the web, odds are you are interacting with a secure site. Not sure if it is? Take a look at the top right corner. If you see a padlock, the site is secure. However, if you see a red lock or a message saying “insecure”, you might want to think twice before submitting any data to the website.

If a visitor can put information on your site, whether it is an email, phone, or credit card - your site needs to be secure!

If you own a website, your web developer probably set you up with one. And if you’re like me, you paid for your SSL several years in advance. And while paying in advance seems like an excellent way to reduce downtime and save money – this will no longer be a viable option as SSL’s will need to be regularly updated every year.

Why Are Multi-Year SSL Certificates No Longer Trusted?

Introduced by Google’s Ryan Sleevi back in August 2019, Ballot SC22 suggested shortening the current certificate lifetime of 825 to 398 days in order to make SSL certificates more secure by reducing the length of time for which an improperly validated SSL could remain active. But, unfortunately, this ballot failed to pass.

However, Apple decided to take matters into their own hands. On September 1st, 2020, they will drop support for any SSL certificate with a validity older than a year on Safari browsers for both iOS (iPhone / iPad) and Mac OS (MacBooks, iMac, etc.). Apple’s move prompted other browser vendors to also drop their support. Even certificate authorities (CA) like Comodo will be removing their multi-year certificate products as a result. This means that after September 1st, Mozilla Firefox, Google Chrome, Safari, and Microsoft Edge will drop support for multi-year SSL certificates purchased AFTER this date. If you’re unsure if your certificate will be valid, this FREE tool can help you get a good idea of your certificate’s lifespan and expiration date.

What does this mean for your site visitors?

Fortunately, any certificate issued before the cutoff date will remain valid regardless of the lifespan. However, after September 1st, we recommend that you purchase a 1 year SSL certificate. That way you avoid running into an invalid certificate error that can impact your site’s search ranking and erode trust from your site’s visitors. There are many places where you can buy an SSL certificate, My Website Spot being one of those places. Once you purchase your certificate, your site’s developer will have to install it on your server.

What can we expect to see in the future? 

In the past, certificates could have a validity of 8 to 10 years, that number has been significantly reduced over the years. Browser Vendors such as Mozilla, Apple, and Google, quickly found out that a longer validity period leads to a longer window of exposure to threats. If a certificate is found to have implemented a known insecure encryption technology (As was the case with SHA-1 Encrypted SSL Certificates) then a shorter window of exposure protects sites from potential exploits.

We can only expect the time frame to get shorter as time progresses, and it is important to stay up to date with these changes to not only avoid rank penalties of having an insecure site but also to avoid losing visitor trust. We here at My Website Spot take security seriously, and at the time of this writing, our client’s SSL certificates are automatically updated and replaced once every 3 months!

In the future, site visitors could begin to see errors in their browser like one below captured from Firefox when a multi-year SSL is used:

a bad ssl warning

In some cases, their web browser may not even let them access the site – even if they trust you and try to proceed.

Google has already been enforcing mandatory SSL certificates since 2017 in an attempt to protect its users from landing on insecure websites.

In Google’s eyes, no padlock means no page rank!

How do I prepare?

The good news is that you can relax until your SSL has expired. These changes won’t affect your site unless your certificate expires after September 1. However, when your certificate expires, at that point it is imperative that you reach out to your developer and purchase a one-year SSL.

If you need further assistance with your website’s SSL or would like additional security for your site, please call us at 407-499-4008 or contact us.

Related

Did you find this article helpful? Read more from our blog