←back to thread

F-Droid site certificate expired

(gitlab.com)
155 points kxxt | 1 comments | 31 Aug 25 12:16 UTC | HN request time: 0s | source
Show context
gethly ◴[31 Aug 25 14:32 UTC] No.45083427[source]
Because those ephemeral LE certificates are such a great idea...
replies(6): >>45083455 #>>45083516 #>>45083798 #>>45083991 #>>45084464 #>>45088393 #
shaky-carrousel ◴[31 Aug 25 14:43 UTC] No.45083516[source]
It is, if your objective is to closely centralize the web. If you make https mandatory, via scare tactics, only people with certificates will have websites. If you make ephemeral certificates mandatory by taking advantage of a monopoly, then only big SSL providers who can afford it will survive.

Then, when you have only two or three big SSL providers, it's way easier to shut someone off by denying them a certificate, and see their site vanish in mere weeks.

replies(6): >>45083645 #>>45083750 #>>45083879 #>>45084701 #>>45086962 #>>45090198 #
crazygringo ◴[31 Aug 25 15:08 UTC] No.45083750[source]
You don't need short expirations for that. CRLs/OCSP already provided a mechanism for certificates to be revoked before they expire.

However, short expirations severely limit the damage an attacker can do if they steal your private key.

And they avoid the situations where an organization simply forgets to renew a cert, because automating something so infrequent is genuinely difficult from an organizational standpoint. Employees leave, calendar reminders go missing, and yeah.

replies(4): >>45083802 #>>45084081 #>>45084499 #>>45085656 #
1. tgsovlerkhgsel ◴[31 Aug 25 16:35 UTC] No.45084499[source]
CRL/OCSP had limited effect in practice. A revoked certificate would, if I remember correctly, continue to be accepted by many if not most browsers (by market share).