Most active commenters
  • lvh(4)

←back to thread

All extensions disabled due to expiration of intermediate signing cert

(bugzilla.mozilla.org)
1318 points xvector | 24 comments | 04 May 19 01:31 UTC | HN request time: 0.517s | source | bottom
Show context
needle0 ◴[04 May 19 01:56 UTC] No.19823806[source]
I’ll still keep using Firefox since I recognize the importance of browser diversity and the hazards of a Chrome monoculture (that and vertical tabs), but, yikes.

Still, this type of oversight seems all too common even in large companies. I remember several cases from Fortune 500 companies in the past few years alone. What would be a good way to automate checking for them? Has anyone developed a tool designed specifically to avoid certificate expiry disasters?

replies(18): >>19823825 #>>19823829 #>>19823831 #>>19823840 #>>19823848 #>>19823861 #>>19823913 #>>19823994 #>>19824009 #>>19824223 #>>19824243 #>>19824298 #>>19824668 #>>19824724 #>>19824795 #>>19824840 #>>19824927 #>>19825103 #
1. kam ◴[04 May 19 02:07 UTC] No.19823861[source]
ACME / Let's Encrypt go in the direction of making expiry happen so often that renewal gets automated, rather than a being a rare manual process that can be forgotten about.

Not sure that's viable for a signing certificate like this, but that's the way to solve it for the web PKI.

replies(3): >>19824049 #>>19824088 #>>19824159 #
2. SomeHacker44 ◴[04 May 19 02:48 UTC] No.19824049[source]
This is just abusive to the vast majority of users who do not care but still want to use SSL for their servers, frankly. I should be allowed to choose a near unlimited lifetime for my server's certificate if I don't care about the risks that may present.
replies(3): >>19824072 #>>19824221 #>>19824499 #
3. httpsterio ◴[04 May 19 02:54 UTC] No.19824072[source]
As the service provider, you shouldn't get to decide. I think it's the users who can decide how long lived certs they're willing to trust.
replies(1): >>19824228 #
4. dev_dull ◴[04 May 19 02:57 UTC] No.19824088[source]
It’s funny to me that people talk about this limitation as if it were some kind of virtue.
replies(2): >>19824114 #>>19824142 #
5. tty2300 ◴[04 May 19 03:03 UTC] No.19824114[source]
Its also more secure. Long lived certs risk the possibility that someone who used to own the domain got a certificate on it and it still works after the domain is resold. Once you automate it there is no downside to short lived certs.
replies(1): >>19824233 #
6. lvh ◴[04 May 19 03:09 UTC] No.19824142[source]
Short-term certs _are_ a virtue. Not only do you not have a manual event rare enough for people to forget how to do it, you also don't have to worry about which 15 services someone granted a 10 year wildcard cert to early in the company's history.
replies(1): >>19824865 #
7. jetrink ◴[04 May 19 03:12 UTC] No.19824159[source]
See also: GPS vs GLONASS time encoding. GPS rolls over every 19 years, so devices, cars and even Boeing aircraft saw their GPS-based clocks turn back to 1999 last month. Meanwhile, GLONASS epochs are only four years long, so every device that uses it as a time reference is built to handle rollover.
8. lugg ◴[04 May 19 03:23 UTC] No.19824221[source]
Security tends towards the lowest common denominator. I'd rather you just figured out how to run a cron job.

The problem comes if your keys ever get compromised or cracked all your historical traffic becomes vulnerable instead of just the most recent window.

replies(1): >>19824270 #
9. Godel_unicode ◴[04 May 19 03:24 UTC] No.19824228{3}[source]
That's cool and all, but what percentage of users do you think even know certs expire? I'd put the over/under at 1%.
10. Godel_unicode ◴[04 May 19 03:26 UTC] No.19824233{3}[source]
If only there were a way to revoke certificates. Like, some kind of list.
replies(5): >>19824271 #>>19824320 #>>19824476 #>>19824509 #>>19824811 #
11. gboudrias ◴[04 May 19 03:34 UTC] No.19824270{3}[source]
Yeah "just" a cron job except the implementation changes several times a year. Somehow this automated process was more time-consuming than the previous, manual one.
replies(1): >>19824317 #
12. yjftsjthsd-h ◴[04 May 19 03:34 UTC] No.19824271{4}[source]
If only such a list were actually effective rather than the majority of clients not bothering to check it.
13. lvh ◴[04 May 19 03:47 UTC] No.19824317{4}[source]
Many cloud providers will make this process pretty much entirely automated. But let's say you don't want to do that: when is the last time the way you run caddy changed? Or the last time python-certbot-nginx changed?
replies(1): >>19824338 #
14. lvh ◴[04 May 19 03:48 UTC] No.19824320{4}[source]
CRLs do not work in practice, and major clients routinely ignore them.
15. gboudrias ◴[04 May 19 03:54 UTC] No.19824338{5}[source]
This was a few years ago, so things may have changed by now. But as they say, once bitten twice shy, and the wisdom of "just cron it" doesn't work with highly experimental tools like LE was for what I estimate to be the majority of its lifetime.
replies(2): >>19824359 #>>19825252 #
16. lvh ◴[04 May 19 04:00 UTC] No.19824359{6}[source]
I'm sure there's a way to make your LE experience consistently suck but the way to run caddy for a static website has been the same for about as long as caddy has had support for automatic HTTPS, and that's also true for python-nginx-certbot. But more importantly: we can argue about what it was 4 years ago, or we can just observe that it's really easy now.
17. dwaite ◴[04 May 19 04:35 UTC] No.19824476{4}[source]
Revocation lists get huge, ultimately becoming another reason to limit cert lifetime (you don't have to tell people you revoked a certificate which is expired naturally).

Very few things check revocation, unfortunately - it puts an extra hop on the fast path of connecting to a server. OCSP stapling is pretty much the only thing a browser would care about - having the server fetch a signed OCSP response that is good for a limited period of time (say, hours), and send that along with the certificate during negotiation.

Or, you could just have the server fetch a certificate thats good for a limited period of time.

18. MrStonedOne ◴[04 May 19 04:41 UTC] No.19824499[source]
It's not your risk to decide on. You will not always own that domain name, and allowing you to still have a valid cert for it afterwards is silly.
replies(1): >>19825298 #
19. MrStonedOne ◴[04 May 19 04:45 UTC] No.19824509{4}[source]
Revocation requires the private key
replies(1): >>19824796 #
20. pinjiz ◴[04 May 19 06:28 UTC] No.19824796{5}[source]
This is not true. In Let's Encrypt/ACME for example, you can simply obtain authorizations for all the domains a certificate is valid for and request revocation [1]. The only thing you still need to revoke the certificate, is the certificate itself. The certificate can be obtained from CT logs.

[1] https://tools.ietf.org/html/rfc8555#section-7.6

21. pinjiz ◴[04 May 19 06:33 UTC] No.19824811{4}[source]
OCSP stapling together with OCSP Must Staple is the way to go here. All major browsers support these.

Firefox still does normal OCSP requests, Chromes does not. So if you are a Chrome user, to my understanding, there is now way to know if the server certificate was revoked or not, other than OCSP stapling together with OCSP Must Staple. Additionally, both Chrome and Firefox ship a list of revoked certificates, but it may not be updated quickly enough and as far as i can tell it mostly contains roots and intermediates.

22. zimpenfish ◴[04 May 19 06:47 UTC] No.19824865{3}[source]
Having once had to regenerate 600+ self-signed certs, test that everything still worked, and then insert them into the 600+ live app servers without breaking anything, all within a two week window because no-one had realised the 10 year expiry was just about to bring everything down, I concur.
23. lugg ◴[04 May 19 08:44 UTC] No.19825252{6}[source]
A tool not working well or being "experimental" does not dismiss the premise that frequently run automated tools are a better than infrequently run manual tasks when those manual tasks can take down your infrastructure if done improperly, missed or forgotten.

All it being new means is that depending on your risk ratio you need to decide whether updates to the software need testing or whether you need to invest in your own solution - or, how about just wait until it matures and keep the old process until then.

Waiting doesn't invalidate the premise either. It just means you lack the resources to implement it safely and that's ok.

24. pmontra ◴[04 May 19 08:55 UTC] No.19825298{3}[source]
Actually it could be not negligence but a way to perform an attack.

Register a domain, get a certificate lasting forever, let the domain expire and somebody buy it. Then somehow redirect all or part of the traffic to that domain to your own server with a valid certificate. Chances are that few people will notice something has changed in the details of the certificate.

However you'll have left traces all over the place: credit cards, phone numbers, etc.