Community Expert

Answered

OT: New Policy on SSL Renewals

Forum|Forum|4 years ago
August 26, 2021
1 reply
3086 views

I always purchase my SSL/TLS certs for multiple years to save money. It's one less thing to think about for a while...

This year I renewed certs for multiple domains for 3 years as before. But instead of expiring in 2024, they all expire in 12 months. DRAT! Evidently, the policy changed last year. A newly generated CSR is required every 12 months now.

Other

This topic has been closed for replies.

Correct answer B i r n o u

yes, it's true that the security policy has changed on this side. even the latest versions of browsers no longer accept certificates that last for more than a year without renewal.

Just a question, I imagine that you have an independent server, and thus not a shared principle... why then remain on the paying certificates... why not use Let's Encrypt ?... it's just a question to understand not to advise.

B i r n o uCorrect answer

Legend

yes, it's true that the security policy has changed on this side. even the latest versions of browsers no longer accept certificates that last for more than a year without renewal.

Just a question, I imagine that you have an independent server, and thus not a shared principle... why then remain on the paying certificates... why not use Let's Encrypt ?... it's just a question to understand not to advise.

Nancy OShea

Author

Community Expert

Let's Encrypt is a group non-profit org that issue FREE Domain Verified certs to anybody who wants them, phishing sites included. They answer to no one except themselves.

You might say "any encryption is better than no encryption." And for most amateur/hobby & vanity sites that don't do anything critical, that's true. But beyond that, you get what you pay for which isn't much. LE offers no technical support. And LE's free certs provide no warranty protection in the event of failures on their end.

Why Let's Encrypt is a Really, Really Bad Idea

https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801

Businesses and particularly those who fall under PCI-DDS and HIPAA umbrellas have to carefully consider what legal recourse their customers have in suing them in the event of a data breach. And this should be done in consultation with the business owner's attorney.

BEST PRACTICE:

============

Depending on your needs, choose CA's that offer higher than Domain Verified (DV) assurance. Organization Verified (OV) and Extended Organization Verified (EV) trusts cost more.

Use well-respected and recognized CAs with a proven track record, technical support and a fiduciary responsibility to other entities (stockholders).

Comodo CA, Sectigo, Symantec, Thawte, GeoTrust, DigiCert, RapidSSL, etc...

Choose certificate warranties that range from $10,000 to $2 million+ in liability coverage.

Use 256-bit or higher encryption strength. If your server doesn't support 256-bit, find a better web host.

Nancy O'Shea— Product User & Community Expert

O

osgood_

Legend

Most of the websites I produce don't really require any kind of SSL certificate. It's barking mad in my opinion that browsers will flag up an insecure connection when no security is needed. No one is going to hack websites which get less than 1500 views a week and that's going to be the majority of websites on the internet made up mostly of small companies which offer specialist services and only have a simple enquiry form which requires no critical information being supplied. We all know that we live in a stupid world these days when just providing your name willingly could be viewed as a breach of your privacy by the wokie left minorlty who now run the World.

Of course if you produce national websites were they get thousands, even million of views a day/week and sell merchanise, financial transactions or request private/sensitive information they do have to be protected by a SSL certificate and Lets Encrypt would not be strong enough for those websites in my opinion but let's not fool ourselves, like the wokie lefties are, 90% of the web comprises of websites for small business which are 'portfolio' websites.

I only deploy Lets Encrypt as a matter of being 'cosmetic' in the url bar rather than it being useful for anything to do with website security and only when a client asks me to do so.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded