Short lifespans are also great when domains change their owner. With a 3 year lifespan, the old owner could possibly still read traffic for a few more years.
When the lifespan ist just 30-90 days, that risk is significatly reduced.
Comment on Decreasing Certificate Lifetimes to 45 Days
probable_possum@leminal.space 2 weeks ago
It’s the “change your password often odyssey” 2.0. If it is safe, it is safe, it doesn’t become unsafe after an arbitrary period of time (if the admin takes care and revokes compromised certs). Or am I missing the point?
cron@feddit.org 2 weeks ago
Appoxo@lemmy.dbzer0.com 2 weeks ago
Only matters for LE certs.
You can still buy 1 year certsprobable_possum@leminal.space 2 weeks ago
Moot point!
cron@feddit.org 2 weeks ago
The maintainers of the big web browsers have pretty strict rules for CAs in this list. If any one of them gets caught issuing only one certificate maliciously, they are out of business.
And all CAs are required to publish each certificate in multiple public, cryptographically signed ledgers.
Sure, there is a history of CAs issuing certificates to people that shouldn’t have them (e.g. for espionage), but that is almost impossible now.
LastYearsIrritant@sopuli.xyz 2 weeks ago
The point is, if the certificate gets stolen, there’s no GOOD mechanism for marking it bad.
If your password gets stolen, only two entities need to be told it’s invalid. You and the website the password is for.
If an SSL certificate is stolen, everyone who would potentially use the website need to know, and they need to know before they try to contact the website. SSL certificate revocation is a very difficult communication problem, and it’s mostly ignored by browsers because of the major performance issues it brings having to double check SSL certs with a third party.
mbirth@lemmy.ml 2 weeks ago
That’s what OCSP is for. Only Google isn’t playing along as per that wiki entry.
KairuByte@lemmy.dbzer0.com 2 weeks ago
I mean, are you intending to retroactively add SSL to every tool implementing SSL in the past few decades?…
Browsers aren’t the only thing that ingress SSL.
mbirth@lemmy.ml 2 weeks ago
Then there’s the older way of checking CRLs which any tool of the past few decades should support.
Lyra_Lycan@lemmy.blahaj.zone 2 weeks ago
But browsers have a marker for dangerous sites - surely Cloudflare, Amazon or Google should have a report system and deliver warnings at the base
False@lemmy.world 2 weeks ago
Browsers are only a fraction of SSL traffic.
Auli@lemmy.ca 2 weeks ago
So is there an example of SSL certs being stolen and used nefariously. Only thing that sticks out to me is certificate authorities being bad.
wildbus8979@sh.itjust.works 2 weeks ago
That’s what Carla are for.
AtariDump@lemmy.world 2 weeks ago
Image
wildbus8979@sh.itjust.works 2 weeks ago
How did you reply to a deleted comment?
bss03@infosec.pub 2 weeks ago
Looks like autoincorrect did a s/CRLs/Carla/ for you.
wildbus8979@sh.itjust.works 2 weeks ago
And that somehow Lemmy didn’t federate my deletion!