←back to thread

All extensions disabled due to expiration of intermediate signing cert

(bugzilla.mozilla.org)
1318 points xvector | 3 comments | 04 May 19 01:31 UTC | HN request time: 0.637s | source
Show context
needle0 ◴[04 May 19 01:56 UTC] No.19823806[source]
I’ll still keep using Firefox since I recognize the importance of browser diversity and the hazards of a Chrome monoculture (that and vertical tabs), but, yikes.

Still, this type of oversight seems all too common even in large companies. I remember several cases from Fortune 500 companies in the past few years alone. What would be a good way to automate checking for them? Has anyone developed a tool designed specifically to avoid certificate expiry disasters?

replies(18): >>19823825 #>>19823829 #>>19823831 #>>19823840 #>>19823848 #>>19823861 #>>19823913 #>>19823994 #>>19824009 #>>19824223 #>>19824243 #>>19824298 #>>19824668 #>>19824724 #>>19824795 #>>19824840 #>>19824927 #>>19825103 #
wbl ◴[04 May 19 02:00 UTC] No.19823825[source]
We scan our codebase for anything that looks like a cert and send emails when it gets close. Might not have helped here if it was an intermediate owned by a CA. There but for the grace of God go I.
replies(2): >>19824231 #>>19824332 #
1. adtac ◴[04 May 19 03:25 UTC] No.19824231[source]
Why do you have certificates in your code to begin with?
replies(1): >>19824457 #
2. justinclift ◴[04 May 19 04:31 UTC] No.19824457[source]
If you have your own CA for whatever reason, it's common to distribute the root and intermediate certs with your code so things can resolve.

You don't ship the signing keys with the certs, as that would be bad. ;)

replies(1): >>19827020 #
3. justinclift ◴[04 May 19 15:26 UTC] No.19827020[source]
s/resolve/validate/