←back to thread

F-Droid site certificate expired

(gitlab.com)
155 points kxxt | 6 comments | 31 Aug 25 12:16 UTC | HN request time: 0s | source | bottom
Show context
gethly ◴[31 Aug 25 14:32 UTC] No.45083427[source]
Because those ephemeral LE certificates are such a great idea...
replies(6): >>45083455 #>>45083516 #>>45083798 #>>45083991 #>>45084464 #>>45088393 #
shaky-carrousel ◴[31 Aug 25 14:43 UTC] No.45083516[source]
It is, if your objective is to closely centralize the web. If you make https mandatory, via scare tactics, only people with certificates will have websites. If you make ephemeral certificates mandatory by taking advantage of a monopoly, then only big SSL providers who can afford it will survive.

Then, when you have only two or three big SSL providers, it's way easier to shut someone off by denying them a certificate, and see their site vanish in mere weeks.

replies(6): >>45083645 #>>45083750 #>>45083879 #>>45084701 #>>45086962 #>>45090198 #
tgsovlerkhgsel ◴[31 Aug 25 16:54 UTC] No.45084701[source]
Meanwhile, in the real world:

- We went from the vast majority of traffic being unencrypted, allowing any passive attacker (from nation state to script kiddie sitting in the coffee shop) to snoop and any active attacker to trivially tamper with it, to all but a vanishing minority of connections being strongly encrypted. The scare tactics used to sell VPNs in YouTube ads used to all be true, and no longer are, due to this.

- We went from TLS certificates being unaffordable to hobbyists to TLS certificates being not only free, but trivial to automatically obtain.

- We went from a CA ecosystem where only commercial alternatives exist to one where the main CA is a nonprofit run by a foundation consisting mostly of strong proponents of Internet freedom.

- Even if you count ZeroSSL and Let's Encrypt as US-controlled, there is at least one free non-US alternative using the same protocol, i.e. suitable as a drop-in replacement (https://www.actalis.com/subscription).

- Plenty of other paid but affordable alternatives exist from countless countries, and the ecosystem seems to be getting better, not worse.

- While many other paths have been used to attempt to censor web sites, I haven't seen the certificate system used for this frequently (I'm sure there are individual court orders somewhere).

- If the US wanted to put its full weight behind getting a site off the Internet, it would have other levers that would be equally or more effective.

- Most Internet freedom advocates recognize that the migration to HTTPS was a really, really good thing.

replies(5): >>45084765 #>>45085429 #>>45086605 #>>45087152 #>>45090142 #
justsomehnguy ◴[31 Aug 25 17:00 UTC] No.45084765[source]
Meanwhile, in the real world:

- We now provide a completely free certs for a malicious web-sites

- Degraded encryption value so much it's not even indicated anymore (remember the green bar for EV?)

- Pavlov-trained everyone to dumb-click through 'this page is not secure' warnings

- SNI exists and even without it anything not on CDN is blocked very easily

replies(4): >>45084914 #>>45084950 #>>45085075 #>>45087109 #
lukeschlather ◴[31 Aug 25 17:15 UTC] No.45084914{3}[source]
The only one of those things that is the fault of ACME is the first one, and are you really suggesting between that and your second bullet point that we should charge money for encryption so that people value it more? Encryption is free so people do it more. Paying money doesn't actually make people trustworthy. (Though you can totally charge people to prove they aren't malicious, but if you want to do that, why tie it to encryption? Encrypt regardless.)
replies(1): >>45084989 #
1. ocdtrekkie ◴[31 Aug 25 17:24 UTC] No.45084989{4}[source]
> Paying money doesn't actually make people trustworthy.

This is fundamentally a naive understanding of both security and certificates. Paying money absolutely makes people trustworthy because it's prohibitive to do it at scale. You might have one paid malicious certificate but you can have thousands of free ones. The one malicious domain gets banned, the thousands are whack-a-mole forever.

Further, certificates used to indicate identity in more than a "the domain you are connected to" sense. There was a big PR campaign to wreck EV certs but EV certs generally were extremely secure. And even Google, who most loudly complained about EV, has reintroduced the Verified Mark Certificate (VMC) to replace it and use for new things like BIMI.

replies(2): >>45085913 #>>45087134 #
2. tialaramex ◴[31 Aug 25 18:54 UTC] No.45085913[source]
It didn't take a "big PR campaign". EV is crap. It was crap when it was created, it's still crap now. It was tolerated because the commercial CAs wanted a new shinier product and in exchange we got the BRs and from there we got here. Don't lean on EV, it's superficial not load bearing.

I don't much care about BIMI. People keep trying to resuscitate that particular dead dog (email security), maybe one day they will succeed but I don't expect to be involved.

3. kelnos ◴[31 Aug 25 21:12 UTC] No.45087134[source]
EV certs didn't actually afford the guarantees people hoped and expected. I could simply spend a few hundred dollars to register "Stripe, LLC" or "Microsoft, Inc." in my local jurisdiction, and then get an EV cert with that name on it.

Browser vendors removed the extra UI around EV certs not because certs in general are easier to get, but because the identity "guarantee" afforded to EV certs was fairly easy to spoof. EV certs still exist, and you can foolishly pay for one if you want. Free ACME-provided certs has nothing to do with this.

replies(1): >>45088640 #
4. ocdtrekkie ◴[01 Sep 25 01:34 UTC] No.45088640[source]
Again, this is an incredibly naive and uninformed take. Yes. You can spend hundreds of dollars to make one attempt at malicious activity, and yeah, that could also be fixed by tweaking EV requirements. (More than likely by putting a country flag on the EV banner.) One person as an example managing to get a problematic EV cert is not a sign of a broken system, it's a sign of a working system that only a few edge case examples exist.

Cybercriminals work at scale. The opinion you shared here is why Google, Microsoft, and Amazon are so easy to use for cybercrime. It's incredibly easy to hide bad behavior in cheap, disposable attempts on free accounts.

Cost virtually eliminates abuse. Bad actors are fronting effort and ideally small amounts of money to effectively bet on a high return. You make the cost to attempt high, it isn't worth it. Apart from some high profile blogs demonstrating the risk, EV certs have to my knowledge never been used maliciously, and hiding them from the browser bar just makes useful, high quality data about the trustworthiness of a site buried behind hidden menus.

replies(1): >>45090544 #
5. crote ◴[01 Sep 25 07:55 UTC] No.45090544{3}[source]
> that could also be fixed by tweaking EV requirements. (More than likely by putting a country flag on the EV banner.)

Wrong. Company names are not guaranteed to be unique per-country.

The main issue you are missing is that putting undeserved trust in things like DV / EV flags greatly increase the value of such attacks. If users are trained to blindly trust that shiny green bar, the odd attacker will be able to walk away with an absolute fortune. Nobody will be suspicious about that page, because Green Bar. Why is the "bank" asking odd questions? Who cares, it had a Green Bar, so it must be legitimate.

Why bother with hundreds of small attacks when one big one will make you rich?

replies(1): >>45093714 #
6. ocdtrekkie ◴[01 Sep 25 15:49 UTC] No.45093714{4}[source]
The extreme majority of criminals aren't doing Ocean's 11-style grand plan attacks here (usually, because... they don't work, the cost is high, and there's too many ways they can fail leaving you out of money with nothing to show for it). Removing the EV bar because you're afraid one attacker might find a way to exploit it becomes an incredible gift to the 99.9999% of attackers who have a much, much easier job to do.

Like, you need to realize most phishing scammers are perfectly happy to make a bankofamericaaa.glitch.me page, because it's free, and without any good indicators for the legitimate bank to use like EV, really doesn't look that much different to the nontechnical customer than bankofamerica.com.