That’s what Carla are for.
Comment on Decreasing Certificate Lifetimes to 45 Days
LastYearsIrritant@sopuli.xyz 5 hours agoThe point is, if the certificate gets stolen, there’s no GOOD mechanism for marking it bad.
If your password gets stolen, only two entities need to be told it’s invalid. You and the website the password is for.
If an SSL certificate is stolen, everyone who would potentially use the website need to know, and they need to know before they try to contact the website. SSL certificate revocation is a very difficult communication problem, and it’s mostly ignored by browsers because of the major performance issues it brings having to double check SSL certs with a third party.
wildbus8979@sh.itjust.works 3 hours ago
Lyra_Lycan@lemmy.blahaj.zone 4 hours ago
But browsers have a marker for dangerous sites - surely Cloudflare, Amazon or Google should have a report system and deliver warnings at the base
False@lemmy.world 4 hours ago
Browsers are only a fraction of SSL traffic.
Auli@lemmy.ca 4 hours ago
So is there an example of SSL certs being stolen and used nefariously. Only thing that sticks out to me is certificate authorities being bad.
mbirth@lemmy.ml 3 hours ago
That’s what OCSP is for. Only Google isn’t playing along as per that wiki entry.