←back to thread

489 points gslin | 1 comments | | HN request time: 0s | source
Show context
pests ◴[] No.42191619[source]
It feels like just yesterday I was paying for certs, or worst, just running without.

Can't believe its been ten years.

replies(1): >>42191666 #
ozim ◴[] No.42191666[source]
Can’t believe there are still anti TLS weirdos.
replies(7): >>42191688 #>>42191718 #>>42191893 #>>42192714 #>>42192733 #>>42193057 #>>42193614 #
michaelt ◴[] No.42192733[source]
I am 99% in favour of widespread use of TLS - but the reality is it means the web only works at the whim of the CA/Browser Forum. And some members of the forum are very eager to flex their authority.

If I do everything perfectly, but the CA I used makes some trivial error which, in the case of my certificate, has no real-world security impact? They can send me an e-mail at 6:40 PM telling me they're revoking my certificate at 2:30 PM the next day. Just what you want to find in your inbox when you get in the next day. I hope you weren't into testing, or staged rollouts, or agreeing deployment windows with your users - you'd better YOLO that change into production without any of that.

Even though it wasn't your mistake, and there's no suggestion you shouldn't have the certificate you have.

As far as the CA/B Forum is concerned, safety-critical systems that can't YOLO changes straight into production with minimal testing and only a few hours of notice don't belong on their PKI infrastructure. You'd better jump to it and fix their mistake right now.

replies(2): >>42192813 #>>42193195 #
account42 ◴[] No.42192813[source]
I'm probably more critical of TLS in general than you are, but to be fair to LE one of their biggest contributions has been to change certificate updates from a deployment to something that should happen automatically during normal operations. If you have things setup the recommended way your daily certbot/etc run will simply pick up a new certificate and loat it into whatever servers that need it without you having to lift a finger. Of course in practice it doesn't always work out that way.
replies(1): >>42193727 #
1. michaelt ◴[] No.42193727[source]
A daily certbot run won't protect you if the CA discovers the problem at 2pm (starting the 24 hour revocation timer) but they only have a fix rolled out by 6pm.

Anyone whose certbot run was between 2pm and 6pm would get their cert revoked the next day at 2pm anyway - even if it was only issued 18 hours ago.

There's also a higher level question: Is this the web we want to be building? One where every site and service has to apply for permission to continue existing every 24 hours? Do we want a web where the barrier to entry for hosting is a round-the-clock ops team, complete with holiday cover? And if you don't have that, you should be using Facebook or Twitter instead?