←back to thread

F-Droid site certificate expired

(gitlab.com)
155 points kxxt | 2 comments | 31 Aug 25 12:16 UTC | HN request time: 0s | source
Show context
gethly ◴[31 Aug 25 14:32 UTC] No.45083427[source]
Because those ephemeral LE certificates are such a great idea...
replies(6): >>45083455 #>>45083516 #>>45083798 #>>45083991 #>>45084464 #>>45088393 #
shaky-carrousel ◴[31 Aug 25 14:43 UTC] No.45083516[source]
It is, if your objective is to closely centralize the web. If you make https mandatory, via scare tactics, only people with certificates will have websites. If you make ephemeral certificates mandatory by taking advantage of a monopoly, then only big SSL providers who can afford it will survive.

Then, when you have only two or three big SSL providers, it's way easier to shut someone off by denying them a certificate, and see their site vanish in mere weeks.

replies(6): >>45083645 #>>45083750 #>>45083879 #>>45084701 #>>45086962 #>>45090198 #
crazygringo ◴[31 Aug 25 15:08 UTC] No.45083750[source]
You don't need short expirations for that. CRLs/OCSP already provided a mechanism for certificates to be revoked before they expire.

However, short expirations severely limit the damage an attacker can do if they steal your private key.

And they avoid the situations where an organization simply forgets to renew a cert, because automating something so infrequent is genuinely difficult from an organizational standpoint. Employees leave, calendar reminders go missing, and yeah.

replies(4): >>45083802 #>>45084081 #>>45084499 #>>45085656 #
kxxt ◴[31 Aug 25 15:13 UTC] No.45083802[source]
It's because CRLs/OCSP sucks so now short expiration is rolling out.
replies(1): >>45084280 #
ozim ◴[31 Aug 25 16:12 UTC] No.45084280[source]
CRL doesn’t suck it is just not easy problem on web scale.

But seems like there is feasible solution: https://hacks.mozilla.org/2025/08/crlite-fast-private-and-co...

replies(1): >>45084471 #
aaomidi ◴[31 Aug 25 16:32 UTC] No.45084471[source]
AKA they suck in this context
replies(1): >>45085594 #
1. ozim ◴[31 Aug 25 18:25 UTC] No.45085594{3}[source]
Was CRL designed with this context in mind?
replies(1): >>45086316 #
2. aaomidi ◴[31 Aug 25 19:33 UTC] No.45086316[source]
Doesn’t matter. I think we’re fighting semantics.

Certificates are cached trust, and all the cache busting problem applies here.