←back to thread

All extensions disabled due to expiration of intermediate signing cert

(bugzilla.mozilla.org)
1318 points xvector | 4 comments | 04 May 19 01:31 UTC | HN request time: 0.65s | source
Show context
needle0 ◴[04 May 19 01:56 UTC] No.19823806[source]
I’ll still keep using Firefox since I recognize the importance of browser diversity and the hazards of a Chrome monoculture (that and vertical tabs), but, yikes.

Still, this type of oversight seems all too common even in large companies. I remember several cases from Fortune 500 companies in the past few years alone. What would be a good way to automate checking for them? Has anyone developed a tool designed specifically to avoid certificate expiry disasters?

replies(18): >>19823825 #>>19823829 #>>19823831 #>>19823840 #>>19823848 #>>19823861 #>>19823913 #>>19823994 #>>19824009 #>>19824223 #>>19824243 #>>19824298 #>>19824668 #>>19824724 #>>19824795 #>>19824840 #>>19824927 #>>19825103 #
crazygringo ◴[04 May 19 02:01 UTC] No.19823829[source]
That's a great question.

I've never seen a bulletproof solution for organizational tasks that need to be done yearly.

If someone's in charge... and both they and their manager happen to leave in the same year... and whatever system they had in place to remember (probably their personal calendars) is gone... and the manager's manager has 1,000 other things to remember...

...how does an organization ensure the task still gets done?

replies(4): >>19823893 #>>19823969 #>>19824149 #>>19824734 #
Complexicate ◴[04 May 19 02:30 UTC] No.19823969[source]
"...how does an organization ensure the task still gets done?"

With something almost stupidly simple and low-tech: checklists.

(I'm reading "The Checklist Manifesto" right now, and the points it makes seem to fit perfectly with everything you mention.)

replies(1): >>19824387 #
1. marcosdumay ◴[04 May 19 04:09 UTC] No.19824387[source]
An year is enough time for everybody that knows about the checklist to leave.
replies(2): >>19824432 #>>19825167 #
2. andrewflnr ◴[04 May 19 04:25 UTC] No.19824432[source]
Put "make sure someone else knows all this person's checklists" on the employee exit checklist.
replies(1): >>19824793 #
3. craftinator ◴[04 May 19 06:27 UTC] No.19824793[source]
Put the checklist on the home page of the company website!
4. BuckRogers ◴[04 May 19 08:18 UTC] No.19825167[source]
We resolved this issue at my last company with sufficiently large mailing groups for cert renewal reminders. Once you get to 12 people on a mailing list, with new employees being added all the time, it's hard to miss. Usually a manager on that list is pinging people about it. There is the chance of the tragedy of the commons occurring, but I never saw it.

Once you do this, the only checklist that matters are procedural checklists to add a new client or new cert to the renewal notification list. When you use a standard group email for all cert purchases, that one becomes tough to miss.

In my 7 years of being involved, we never missed a cert renewal with this process for ~300 client sites with multiple or wildcard certs.