But browsers have a marker for dangerous sites - surely Cloudflare, Amazon or Google should have a report system and deliver warnings at the base
Comment on Decreasing Certificate Lifetimes to 45 Days
LastYearsIrritant@sopuli.xyz 2 months agoThe point is, if the certificate gets stolen, there’s no GOOD mechanism for marking it bad.
If your password gets stolen, only two entities need to be told it’s invalid. You and the website the password is for.
If an SSL certificate is stolen, everyone who would potentially use the website need to know, and they need to know before they try to contact the website. SSL certificate revocation is a very difficult communication problem, and it’s mostly ignored by browsers because of the major performance issues it brings having to double check SSL certs with a third party.
Lyra_Lycan@lemmy.blahaj.zone 2 months ago
False@lemmy.world 2 months ago
Browsers are only a fraction of SSL traffic.
Auli@lemmy.ca 2 months ago
So is there an example of SSL certs being stolen and used nefariously. Only thing that sticks out to me is certificate authorities being bad.
wildbus8979@sh.itjust.works 2 months ago
That’s what Carla are for.
AtariDump@lemmy.world 2 months ago
wildbus8979@sh.itjust.works 2 months ago
How did you reply to a deleted comment?
bss03@infosec.pub 2 months ago
Probably the comment has federated to lemmy.world, but the deletion of the comment hasn’t yet.
bss03@infosec.pub 2 months ago
Looks like autoincorrect did a s/CRLs/Carla/ for you.
wildbus8979@sh.itjust.works 2 months ago
And that somehow Lemmy didn’t federate my deletion!
mbirth@lemmy.ml 2 months ago
That’s what OCSP is for. Only Google isn’t playing along as per that wiki entry.
KairuByte@lemmy.dbzer0.com 2 months ago
I mean, are you intending to retroactively add SSL to every tool implementing SSL in the past few decades?…
Browsers aren’t the only thing that ingress SSL.
mbirth@lemmy.ml 2 months ago
Then there’s the older way of checking CRLs which any tool of the past few decades should support.