Safari soon won’t accept HTTPS certificates longer than 13 months
Apple announced during last week’s CA/Browser Forum that Safari will soon reject any HTTPS certificates that expire in any longer than 13 months.
The CA/Browser Forum is a voluntary consortium that began in 2005 as part of an effort among certification authorities and browser software vendors to provide greater assurance to web users about the sites they visit.
HTTPS certificates, using TLS encryption, help to ensure the sites a user visits are safe and legitimate. However, just because a site was once safe doesn’t mean that it still is.
Certificate authorities once used to even issue certificates with ten years of validity. In 2017, the maximum length was reduced to 825 days – which many people believed was still too long and failed to offer sufficient protection to web users.
To help tackle the problem, Apple has decided that Safari will reject any HTTPS certificate that has more than 398 days before it expires and display a privacy warning to website visitors.
Several leading websites will currently fall foul of Apple’s decision, including Microsoft and GitHub.
Security developer Michal Špaček highlighted on his blog that some web browsers speed up a website’s loading time by not checking certificates. Špaček suggests visiting this website to see whether your browser checks for certificates or not.
The new rules will affect certificates issued after September 1st. If your current certificate was issued prior to this date, you’ll be ok until it comes to renewal.
Facebook has issued an update following its decision to cancel this year’s F8 conference over coronavirus fears. F8 is Facebook’s annual event to update the world on its plans for world domination. The event is developer-focused but users also watch the conference to learn about all the new apps, features, and even hardware coming their way.
Apple has updated its App Store guidelines to allow iOS app developers to send ads using push notifications. Cupertino has traditionally been strict around areas which could be detrimental to a user’s experience; advertising being a key one. In the past, developers were unable to use push notifications for “advertising, promotions, or direct marketing purposes.”
Online audio distribution platform and music sharing website SoundCloud has fixed several security vulnerabilities affecting its API that could have otherwise resulted in hackers taking over accounts, launching denial of service attacks, and exploiting the service.
Huawei has unveiled further details about its replacements to Google’s services as it prepares to lose access following US sanctions. During an event in London, Huawei made its pitch as to why developers should port their apps to HMS (Huawei Mobile Services). The first reason is a cash incentive. Huawei announced that it will use a pot of £20 million ($26 million) to help persuade developers to bring their apps to HMS.
