But browsers have a marker for dangerous sites - surely Cloudflare, Amazon or Google should have a report system and deliver warnings at the base
Comment on Decreasing Certificate Lifetimes to 45 Days
LastYearsIrritant@sopuli.xyz 2 weeks agoThe point is, if the certificate gets stolen, there’s no GOOD mechanism for marking it bad.
If your password gets stolen, only two entities need to be told it’s invalid. You and the website the password is for.
If an SSL certificate is stolen, everyone who would potentially use the website need to know, and they need to know before they try to contact the website. SSL certificate revocation is a very difficult communication problem, and it’s mostly ignored by browsers because of the major performance issues it brings having to double check SSL certs with a third party.
Lyra_Lycan@lemmy.blahaj.zone 2 weeks ago
False@lemmy.world 2 weeks ago
Browsers are only a fraction of SSL traffic.
Auli@lemmy.ca 2 weeks ago
So is there an example of SSL certs being stolen and used nefariously. Only thing that sticks out to me is certificate authorities being bad.
wildbus8979@sh.itjust.works 2 weeks ago
That’s what Carla are for.
AtariDump@lemmy.world 2 weeks ago
wildbus8979@sh.itjust.works 2 weeks ago
How did you reply to a deleted comment?
bss03@infosec.pub 2 weeks ago
Probably the comment has federated to lemmy.world, but the deletion of the comment hasn’t yet.
bss03@infosec.pub 2 weeks ago
Looks like autoincorrect did a s/CRLs/Carla/ for you.
wildbus8979@sh.itjust.works 2 weeks ago
And that somehow Lemmy didn’t federate my deletion!
mbirth@lemmy.ml 2 weeks ago
That’s what OCSP is for. Only Google isn’t playing along as per that wiki entry.
KairuByte@lemmy.dbzer0.com 2 weeks ago
I mean, are you intending to retroactively add SSL to every tool implementing SSL in the past few decades?…
Browsers aren’t the only thing that ingress SSL.
mbirth@lemmy.ml 2 weeks ago
Then there’s the older way of checking CRLs which any tool of the past few decades should support.