←back to thread

253 points pabs3 | 2 comments | | HN request time: 0.415s | source
Show context
mkj ◴[] No.44602124[source]
It's not just Linux - certificates to sign Windows are also affected in 2026.

https://support.microsoft.com/en-us/topic/windows-secure-boo...

https://techcommunity.microsoft.com/blog/windows-itpro-blog/...

Really it seems like having any expiry date for these certificates is a mistake. The one thing it might protect against is a compromised signing key, but if you have to wait 15 years for a compromised key to stop being valid, it's not very useful!

Don't worry, the replacement MS certs expire in 2038 (a couple of months after the 32-bit unix time rollover).

replies(5): >>44602428 #>>44602690 #>>44602733 #>>44602895 #>>44617707 #
1. nirui ◴[] No.44602690[source]
I'm feeling/guessing the expiration is more of a flow-with-tradition thing. TLS certificates expires, it's part of the security feature, so why not Secure Boot certificates too?

And of course, it gives the root certificate issuer enormous amount of power as well, good riddance from the POV of Microsoft.

However, I think if Microsoft REALLY care about security, they should not let application installed on their system to do anything that is unapproved by the user (such as installing a virus that encrypts all their data), which could actually enhance the user experience and security. But, with secure boot, at least you can be sure that your Windows kernel is not tampered so it can serve the virus correctly :)

replies(1): >>44673462 #
2. hulitu ◴[] No.44673462[source]
> However, I think if Microsoft REALLY care about security, they should not let application installed on their system to do anything that is unapproved by the user

Is Microsoft REALLY cares about security, they should fix their bugs and not make "new features" at every release.