←back to thread

All extensions disabled due to expiration of intermediate signing cert

(bugzilla.mozilla.org)
1318 points xvector | 1 comments | 04 May 19 01:31 UTC | HN request time: 0s | source
Show context
needle0 ◴[04 May 19 01:56 UTC] No.19823806[source]
I’ll still keep using Firefox since I recognize the importance of browser diversity and the hazards of a Chrome monoculture (that and vertical tabs), but, yikes.

Still, this type of oversight seems all too common even in large companies. I remember several cases from Fortune 500 companies in the past few years alone. What would be a good way to automate checking for them? Has anyone developed a tool designed specifically to avoid certificate expiry disasters?

replies(18): >>19823825 #>>19823829 #>>19823831 #>>19823840 #>>19823848 #>>19823861 #>>19823913 #>>19823994 #>>19824009 #>>19824223 #>>19824243 #>>19824298 #>>19824668 #>>19824724 #>>19824795 #>>19824840 #>>19824927 #>>19825103 #
_wmd ◴[04 May 19 02:04 UTC] No.19823848[source]
Let's not forget multiple mobile networks across Europe went down on the same day last year because Ericsson(?) let a cert expire on some internal management system that had not been updated. SSL cert renewal is one of the great unsolved problems in computer science

edit: not Europe, just UK and Japan apparently: https://www.zdnet.com/article/ericsson-expired-certificate-c...

replies(2): >>19823910 #>>19824709 #
AmericanChopper ◴[04 May 19 05:52 UTC] No.19824709[source]
>SSL cert renewal is one of the great unsolved problems in computer science

Certificate expiry really only exists to make money for CAs. It doesn’t solve any security problem that CRLs don’t already solve (and solve better). There’s lots of unsolved problems relating to ‘how do you make a reliable PKI’, but cert expiry is really just an unrelated business requirement for CAs.

replies(4): >>19824751 #>>19824854 #>>19824875 #>>19825054 #
rocqua ◴[04 May 19 07:48 UTC] No.19825054[source]
Cert revocation suffers from a very simple issue. If your check for revocation fails, do you fail open (ie accept the cert) or fail closed (ie reject the cert).

For any method, fail closed is user hostile and often a DOS vulnerability whilst fail open is another way for an attacker to use a revoked cert.

This is a big issue with on-line methods like OCSP as a MitM using a bad cert can probably block OCSP traffic as well.

CSLRs grow out of proportion, and leak information to the outside world.

Cert expiry serves as a backstop to these other revocation methods, and as a bonus ensures that simply forgetting about a cert cannot bite you 10 years later.

replies(1): >>19825183 #
AmericanChopper ◴[04 May 19 08:22 UTC] No.19825183[source]
All TLS failures fail closed. The idea that if a cert is compromised it will eventually expire sometime within the next five years is a completely laughable security control. Leaking information is a complete non-concern too. Have you heard of certificate transparency logs?

Short lived certs are quite obviously better from a security perspective, but the security difference between a certificate that expires in five years, and one that expires never is irrelevant.

replies(1): >>19825293 #
1. rocqua ◴[04 May 19 08:54 UTC] No.19825293[source]
A missing OCSP response does not fail closed, nor does a CLR url 404-ing fail closed.

The information leakage of CRLs is stating to the public that a cert needed to be revoked.

Obviously, a compromised cert that will expire in 5 years is horrible. However, a non compromised cert you are no longer using that will never expire is more off a risk than a disused cert that will expire in a year. Not to say you should leave the one year cert lying around. However, there is no desire to put the one year cert on a pre-shipped CLR.