←back to thread

All extensions disabled due to expiration of intermediate signing cert

(bugzilla.mozilla.org)
1318 points xvector | 1 comments | 04 May 19 01:31 UTC | HN request time: 0s | source
Show context
needle0 ◴[04 May 19 01:56 UTC] No.19823806[source]
I’ll still keep using Firefox since I recognize the importance of browser diversity and the hazards of a Chrome monoculture (that and vertical tabs), but, yikes.

Still, this type of oversight seems all too common even in large companies. I remember several cases from Fortune 500 companies in the past few years alone. What would be a good way to automate checking for them? Has anyone developed a tool designed specifically to avoid certificate expiry disasters?

replies(18): >>19823825 #>>19823829 #>>19823831 #>>19823840 #>>19823848 #>>19823861 #>>19823913 #>>19823994 #>>19824009 #>>19824223 #>>19824243 #>>19824298 #>>19824668 #>>19824724 #>>19824795 #>>19824840 #>>19824927 #>>19825103 #
kam ◴[04 May 19 02:07 UTC] No.19823861[source]
ACME / Let's Encrypt go in the direction of making expiry happen so often that renewal gets automated, rather than a being a rare manual process that can be forgotten about.

Not sure that's viable for a signing certificate like this, but that's the way to solve it for the web PKI.

replies(3): >>19824049 #>>19824088 #>>19824159 #
dev_dull ◴[04 May 19 02:57 UTC] No.19824088[source]
It’s funny to me that people talk about this limitation as if it were some kind of virtue.
replies(2): >>19824114 #>>19824142 #
tty2300 ◴[04 May 19 03:03 UTC] No.19824114[source]
Its also more secure. Long lived certs risk the possibility that someone who used to own the domain got a certificate on it and it still works after the domain is resold. Once you automate it there is no downside to short lived certs.
replies(1): >>19824233 #
Godel_unicode ◴[04 May 19 03:26 UTC] No.19824233[source]
If only there were a way to revoke certificates. Like, some kind of list.
replies(5): >>19824271 #>>19824320 #>>19824476 #>>19824509 #>>19824811 #
MrStonedOne ◴[04 May 19 04:45 UTC] No.19824509[source]
Revocation requires the private key
replies(1): >>19824796 #
1. pinjiz ◴[04 May 19 06:28 UTC] No.19824796[source]
This is not true. In Let's Encrypt/ACME for example, you can simply obtain authorizations for all the domains a certificate is valid for and request revocation [1]. The only thing you still need to revoke the certificate, is the certificate itself. The certificate can be obtained from CT logs.

[1] https://tools.ietf.org/html/rfc8555#section-7.6