Comment on Decreasing Certificate Lifetimes to 45 Days

probable_possum@leminal.space ⁨5⁩ ⁨hours⁩ ago

• cron@feddit.org ⁨4⁩ ⁨hours⁩ ago

  Short lifespans are also great when domains change their owner. With a 3 year lifespan, the old owner could possibly still read traffic for a few more years.

  When the lifespan ist just 30-90 days, that risk is significatly reduced.

  source
• LastYearsIrritant@sopuli.xyz ⁨5⁩ ⁨hours⁩ ago

  The point is, if the certificate gets stolen, there’s no GOOD mechanism for marking it bad.

  If your password gets stolen, only two entities need to be told it’s invalid. You and the website the password is for.

  If an SSL certificate is stolen, everyone who would potentially use the website need to know, and they need to know before they try to contact the website. SSL certificate revocation is a very difficult communication problem, and it’s mostly ignored by browsers because of the major performance issues it brings having to double check SSL certs with a third party.

  source

  • mbirth@lemmy.ml ⁨3⁩ ⁨hours⁩ ago

    The point is, if the certificate gets stolen, there’s no GOOD mechanism for marking it bad.

    That’s what OCSP is for. Only Google isn’t playing along as per that wiki entry.

    source
  • wildbus8979@sh.itjust.works ⁨3⁩ ⁨hours⁩ ago

    That’s what Carla are for.

    source
  • Lyra_Lycan@lemmy.blahaj.zone ⁨5⁩ ⁨hours⁩ ago

    But browsers have a marker for dangerous sites - surely Cloudflare, Amazon or Google should have a report system and deliver warnings at the base

    source

    • False@lemmy.world ⁨4⁩ ⁨hours⁩ ago

      Browsers are only a fraction of SSL traffic.

      source

      • Auli@lemmy.ca ⁨4⁩ ⁨hours⁩ ago

        So is there an example of SSL certs being stolen and used nefariously. Only thing that sticks out to me is certificate authorities being bad.

        source

        • -> View More Comments