Recently I went to renew one of the many SSL certificates I manage, and they hit me with a message saying the new cert would only be valid for 200 days, instead of the usual 1 year. WTF? Is this some stupid scheme to get more money out of me? No, apparently it’s a real thing. And 200-days is just the tip of the iceberg. By 2029, certificate lifespans will be reduced to 47 days.
Who makes these fucking decisions?
More importantly, why are they doing this?
I’ve been searching for an answer. To be honest, I haven’t found one that satisfies. All I see over and over is some vague excuse about “increased security”. Is there some new threat we don’t know about? Have there been attacks because of an SSL cert at day-364 that wouldn’t have happened at day-46? Because this seems ridiculous and totally unnecessary.
How did we get here?
If you’re old like me, you’ll remember when http:// (i.e. not secured) connections were the norm. If you were on an eCommerce site then sure it might click over to https:// on the checkout page, just before you entered your credit card number — but that was it.
Then at some point along the way, Google decided every website needed to be HTTPS. It was no longer just eCommerce sites. Now every stay-at-home wife with a crafting blog had to go out and get an SSL certificate, or else their site would be buried by Google and never found again.
There is absolutely no reason for a purely informational site, which neither sends nor receives confidential information, to be forced to have HTTPS. I mean sure if you want it, go ahead. But why is it Google’s role to force us? If I remember correctly, they claimed they were super worried about government spying, and forcing HTTPS internet-wide was their way of “sticking it to the man”. (I remember reading about this years ago but I can’t find it now… if anybody out there remembers what I’m talking about please let me know in the comments!)
Next it turned out that forcing every website to be HTTPS wasn’t enough — they decided to force the end users too. Conveniently, Google just happens to own the most popular web browser currently in use. With each passing update, Chrome has been getting more aggressive about scaring you into using HTTPS and only HTTPS.
Google may not be the only ones forcing us in this direction, but clearly they’ve been one of the primary ones. They must get some benefit out of this, but what it is, I can’t figure out.
I still manage a lot of sites for a lot of clients, and they all want to be found in Google search results, therefore they all have to have SSL certs. For the eCommerce and/or more “important” sites I’ve been buying certs from Sectigo (formerly Comodo). For the mom blogs, I originally got free certs from StartSSL, and now from Let’s Encrypt. Let’s Encrypt is great because it allows me to automate certificate renewals thanks to Certbot. It’s saved me both time and money. Meanwhile, I’ve continued paying annually to renew Sectigo certs on the “important” sites, manually installing them every year. Foolishly I did this thinking the paid certs were somehow “better”.
Now here we are in 2026, and some group called the “CA/Browser Forum” has voted unanimously to make us go through the annual SSL cert song-and-dance, every month.
Who is this fucking “CA/Browser Forum”? Apparently the usual big tech suspects (Google, Apple, Microsoft), but also the certificate authorities who issue SSL certificates.
So now what happens?
Well the first thing I’ve realized is this: It turns out nobody gives a shit what kind of cert you have, as long as their browser doesn’t throw any scary warnings at them. No end user has a fucking clue the difference between DV, OV, or EV; between Sectigo, DigiCert, GlobalSign, GoDaddy, or Thawte.
That means I’m never paying for an SSL cert again. It’s free Let’s Encrypt certs on everything from now on.
That’s fine by me because it saves me money, but my real question is this… again, what do “they” gain from this? For the certificate authorities — companies who make money selling SSL certificates — isn’t this shooting themselves in the foot? They’re actively pushing everyone into the arms of Let’s Encrypt. Why would they do that?
Call me old and cynical, but shit like this makes me really suspicious. There has to be a real motivation behind this, and they’re just not saying what it is.
A 47-day expiration means, practically speaking, replacing certs every month. Doing that manually is crazy, so clearly they are forcing us to switch to automated tools (Certbot or Acme.sh, I guess). Those tools are made to work with the free cert providers right out of the box. If I’m going through the steps to setup SSL automation, why wouldn’t I go ahead and use the free ones already there? Why would I go through extra steps to connect it to a paid CA? So I can pay money for something already being offered to me for free?
I just don’t understand the business model.
As a software developer though I do understand the saying “if it’s free, you are the product” very well. That’s how the tech world thinks. So what I want to know is, what are they getting out of this? Is this about making us feel “safe” so we relax our guard while they secretly spy on us in some other way? What am I missing here?
I know what you’re thinking — “take off the tin-foil hat, Programmer Bear”. And maybe you’re right. It’s just that “they” (big tech) have abused my trust so many damn times, I have a hard time believing they do anything with pure motives anymore. I would love to be wrong about this.
Suffice to say, I’m deeply suspicious. If they can point to actual attacks that have happened, and how short expirations solves them, then maybe I’d start to believe. But right now, it all seems very fake and artificial, and I really want to know why. Please let it be just some scheme to make more money somehow.