←back to thread

All extensions disabled due to expiration of intermediate signing cert

(bugzilla.mozilla.org)
1318 points xvector | 9 comments | 04 May 19 01:31 UTC | HN request time: 0.843s | source | bottom
Show context
needle0 ◴[04 May 19 01:56 UTC] No.19823806[source]
I’ll still keep using Firefox since I recognize the importance of browser diversity and the hazards of a Chrome monoculture (that and vertical tabs), but, yikes.

Still, this type of oversight seems all too common even in large companies. I remember several cases from Fortune 500 companies in the past few years alone. What would be a good way to automate checking for them? Has anyone developed a tool designed specifically to avoid certificate expiry disasters?

replies(18): >>19823825 #>>19823829 #>>19823831 #>>19823840 #>>19823848 #>>19823861 #>>19823913 #>>19823994 #>>19824009 #>>19824223 #>>19824243 #>>19824298 #>>19824668 #>>19824724 #>>19824795 #>>19824840 #>>19824927 #>>19825103 #
js2 ◴[04 May 19 02:39 UTC] No.19824009[source]
You can find lots of programs like this one to monitor certs:

https://pypi.org/project/check-tls-certs/

I run one daily from cron and have it email me a report with the days to expiration for the certs I’m responsible for, even for certs that auto renew. I don’t filter the email. Daily is not too frequent for it to go to my inbox, but frequent enough that I’ll notice if it doesn’t mail me. YMMV.

replies(1): >>19824097 #
1. dev_dull ◴[04 May 19 02:59 UTC] No.19824097[source]
Discovery of all the certs is what I think is the harder problem.
replies(2): >>19824189 #>>19824206 #
2. human20190310 ◴[04 May 19 03:17 UTC] No.19824189[source]
I agree. What can be done to prevent developers from adding a certificate dependency without monitoring during the move-fast-and-break-things days of early development, which then sits for X years as developers come and go, and nobody notices until it fails?
replies(4): >>19824242 #>>19824331 #>>19824464 #>>19824969 #
3. stubish ◴[04 May 19 03:19 UTC] No.19824206[source]
We have an agent that pulls certs from an internal service and stores them on disk where apps can use them. We no longer manually install certificates. This solves discovery, and gives us alerts on services that have stopped refreshing their certs for any reason. The internal service is wired into lets encrypt and a commercial certificate provider. Setup is minimal, and after that completely automated.
4. rhizome ◴[04 May 19 03:29 UTC] No.19824242[source]
>What can be done to prevent developers from adding a certificate dependency

Discipline? Experience? PIP?

5. lvh ◴[04 May 19 03:52 UTC] No.19824331[source]
Certificate Transparency works pretty darn well for most usecases, we (Latacora) have found while trying to solve exactly this problem (or at least the figure out which certs exist that aren't being regularly re-issued part) :-)
replies(1): >>19825112 #
6. technion ◴[04 May 19 04:33 UTC] No.19824464[source]
Whilst I'll say "disclaimer, this is my project", monitoring Certificate Transparency with CT Advisor has helped me find out about certificates marketing people deployed and expected me to maintain without my knowledge.

[0] https://ctadvisor.lolware.net/

7. adrianN ◴[04 May 19 07:17 UTC] No.19824969[source]
Hook the alerting for expiring certificates into the library that is used for handling certificates, at least in debug builds.
8. tialaramex ◴[04 May 19 08:04 UTC] No.19825112{3}[source]
Caveats:

Certificates that aren't from the Web PKI almost invariably won't be logged. Most logs explicitly refuse everything except certs from the Web PKI so as not to be burdened storing garbage. So this won't find certs issued by the custom OpenSSL CA on that one guys Linux laptop.

Not all Web PKI certs are logged. There is no BR obligation and no root store programme rule that requires logging. The only things in place that strongly encourage logging are the Chrome and Safari policies. For systems that aren't designed to be accessed with a web browser or, much more rarely, enterprises that have persuaded themselves only IE is authorised anyway, the certs might deliberately not be logged. Yes there are (small) CAs doing this in the Web PKI, on purpose, in 2019.

replies(1): >>19827451 #
9. lvh ◴[04 May 19 16:31 UTC] No.19827451{4}[source]
You can tell ACM your CT preference!

(But seriously, sure you’re right but for my audience (which is essentially Latacora’s and HN’s), CT is fine.)