1. Forum
  2. Usenet
  3. COMP.MISC

  • Website Certs Will Soon Last Only 47 Days

    From Lawrence D'Oliveiro@21:1/5 to All on Fri Apr 11 22:32:56 2025
    The CA/Browser Forum (a group that includes those entities that issue
    you with attested SSL/TLS certificates) has voted to severely shorten
    the valid duration of its certificates from one year to just 47 days <https://www.computerworld.com/article/3960658/vendors-vote-to-radically-slash-website-certificate-duration.html>.

    Some see this as a revenue grab. Yes, it may be, but there are also
    good security reasons for doing so.

    The revenue-grab reason may backfire. For most purposes, a free cert
    service like Let’s Encrypt is quite sufficient, and it’s easy enough
    to set your system to run a cron task (or systemd timer) to
    auto-renew. This already happens by default on a Debian installation,
    for example.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Oregonian Haruspex@21:1/5 to Lawrence D'Oliveiro on Sat Apr 12 03:30:41 2025
    Lawrence D'Oliveiro <ldo@nz.invalid> wrote:
    The CA/Browser Forum (a group that includes those entities that issue
    you with attested SSL/TLS certificates) has voted to severely shorten
    the valid duration of its certificates from one year to just 47 days <https://www.computerworld.com/article/3960658/vendors-vote-to-radically-slash-website-certificate-duration.html>.

    Some see this as a revenue grab. Yes, it may be, but there are also
    good security reasons for doing so.

    The revenue-grab reason may backfire. For most purposes, a free cert
    service like Let’s Encrypt is quite sufficient, and it’s easy enough
    to set your system to run a cron task (or systemd timer) to
    auto-renew. This already happens by default on a Debian installation,
    for example.


    It’s not a revenue grab. It IS yet another of the methods THEY are
    employing to make it impossible to use the Internet with old, backdoor-free computers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Lawrence D'Oliveiro@21:1/5 to Oregonian Haruspex on Sat Apr 12 03:54:15 2025
    On Sat, 12 Apr 2025 03:30:41 -0000 (UTC), Oregonian Haruspex wrote:

    It’s not a revenue grab. It IS yet another of the methods THEY are employing to make it impossible to use the Internet with old, backdoor
    -free computers.

    Let’s just say, I use one of those free auto-renewing cert services (Let’s Encrypt), and I’m probably more confident than you are that my computer is “backdoor-free”.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Richard Kettlewell@21:1/5 to Lawrence D'Oliveiro on Sat Apr 12 09:28:22 2025
    Lawrence D'Oliveiro <ldo@nz.invalid> writes:
    The CA/Browser Forum (a group that includes those entities that issue
    you with attested SSL/TLS certificates) has voted to severely shorten
    the valid duration of its certificates from one year to just 47 days <https://www.computerworld.com/article/3960658/vendors-vote-to-radically-slash-website-certificate-duration.html>.

    More concrete details at https://github.com/cabforum/servercert/pull/553.

    Some see this as a revenue grab. Yes, it may be, but there are also
    good security reasons for doing so.

    The “revenue grab” theory is rather dubious. The proposal is from a
    device vendor, not a CA; they will make no money from it at all.

    If your CA charges by the renewal _and_ doesn’t adjust prices to reflect
    the shorter lifetime of individual certificates, then yes, it’ll get a
    lot more expensive; an example of shrinkflation. That’d be time to
    migrate to a CA with a more reasonable pricing model.

    The revenue-grab reason may backfire. For most purposes, a free cert
    service like Let’s Encrypt is quite sufficient, and it’s easy enough
    to set your system to run a cron task (or systemd timer) to
    auto-renew. This already happens by default on a Debian installation,
    for example.

    Right, the organizations who will have a real problem are those still
    renewing certificates manually. They have a choice between spending a
    bit more on their own staffing, or automating renewal (probably cutting
    their overall costs in the long run).

    --
    https://www.greenend.org.uk/rjk/

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Theo@21:1/5 to Richard Kettlewell on Sat Apr 12 11:44:45 2025
    Richard Kettlewell <invalid@invalid.invalid> wrote:
    Right, the organizations who will have a real problem are those still renewing certificates manually. They have a choice between spending a
    bit more on their own staffing, or automating renewal (probably cutting
    their overall costs in the long run).

    I can see this being a big pain for private infrastructure. Much networking gear, for example, has a web interface for uploading a certificate, but not
    an automated flow for doing so. If that gear is also not able to reach the internet it can't do any kind of 'well-known' challenges.

    I'm sure there are workarounds, but they won't necessarily apply to what's already out there. This change could be disruptive for that.

    Theo

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From John McCue@21:1/5 to Lawrence D'Oliveiro on Sat Apr 12 14:06:58 2025
    Lawrence D'Oliveiro <ldo@nz.invalid> wrote:
    The CA/Browser Forum (a group that includes those entities that issue
    you with attested SSL/TLS certificates) has voted to severely shorten
    the valid duration of its certificates from one year to just 47 days <https://www.computerworld.com/article/3960658/vendors-vote-to-radically-slash-website-certificate-duration.html>.

    Some see this as a revenue grab. Yes, it may be, but there are also
    good security reasons for doing so.

    I agree with this. Plus include the fact that google and
    friends are trying to block 'http' (no s) static sites,
    seems it is a continuation of a war on General Computing.

    I would not be surprised that in a few short years you will
    only be able to access sites with a back-doored Cell Phone.

    The revenue-grab reason may backfire. For most purposes, a free cert
    service like Let’s Encrypt is quite sufficient, and it’s easy enough
    to set your system to run a cron task (or systemd timer) to
    auto-renew. This already happens by default on a Debian installation,
    for example.

    This I would not know :) I have moved my WEB Site to
    gemini/gopher on SDF. My site justs sits there to point
    people to gemini and/or gopher.

    --
    [t]csh(1) - "An elegant shell, for a more... civilized age."
    - Paraphrasing Star Wars

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Lawrence D'Oliveiro@21:1/5 to Theo on Sun Apr 13 00:04:39 2025
    On 12 Apr 2025 11:44:45 +0100 (BST), Theo wrote:

    Much networking gear, for example, has a web interface for uploading a certificate, but not an automated flow for doing so.

    Surely most if not all of that networking gear is Linux-based by now. And
    Linux can certainly do it.

    If that gear is also not able to reach the internet it can't do any kind
    of 'well-known' challenges.

    There would be ways to selectively allow such things through the firewall.

    I'm sure there are workarounds, but they won't necessarily apply to
    what's already out there.

    I’m sure there are software updates to cope with this. Companies that are used to coping with large data-centre installations would not be new to
    this.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Lawrence D'Oliveiro@21:1/5 to John McCue on Sun Apr 13 00:05:44 2025
    On Sat, 12 Apr 2025 14:06:58 -0000 (UTC), John McCue wrote:

    Plus include the fact that google and friends are trying to block
    'http' (no s) static sites, seems it is a continuation of a war on
    General Computing.

    I don’t know why you think general-purpose computers are incapable of
    secure communication through the Internet. Where do you think such secure communication got invented?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Richard Kettlewell@21:1/5 to Theo on Sun Apr 13 13:03:41 2025
    Theo <theom+news@chiark.greenend.org.uk> writes:
    Richard Kettlewell <invalid@invalid.invalid> wrote:
    Right, the organizations who will have a real problem are those still
    renewing certificates manually. They have a choice between spending a
    bit more on their own staffing, or automating renewal (probably
    cutting their overall costs in the long run).

    I can see this being a big pain for private infrastructure. Much
    networking gear, for example, has a web interface for uploading a certificate, but not an automated flow for doing so. If that gear is
    also not able to reach the internet it can't do any kind of
    'well-known' challenges.

    Fair point. I think SCEP is the well-established ‘enterprise’ approach
    to this (I don’t know the details though). But it’d be nice to see
    device vendors supporting ACME more widely.

    --
    https://www.greenend.org.uk/rjk/

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Richmond@21:1/5 to Lawrence D'Oliveiro on Sun Apr 13 16:27:07 2025
    Lawrence D'Oliveiro <ldo@nz.invalid> writes:

    The revenue-grab reason may backfire. For most purposes, a free cert
    service like Let’s Encrypt is quite sufficient, and it’s easy enough
    to set your system to run a cron task (or systemd timer) to
    auto-renew. This already happens by default on a Debian installation,
    for example.

    What about the increased load on the servers of all the extra renewals?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From John McCue@21:1/5 to Lawrence D'Oliveiro on Sun Apr 13 17:39:56 2025
    Lawrence D'Oliveiro <ldo@nz.invalid> wrote:
    On Sat, 12 Apr 2025 14:06:58 -0000 (UTC), John McCue wrote:

    Plus include the fact that google and friends are trying to block
    'http' (no s) static sites, seems it is a continuation of a war on
    General Computing.

    I don’t know why you think general-purpose computers are incapable of secure communication through the Internet. Where do you think such secure communication got invented?

    Of course they can connect right now, but as time goes on
    I am sure at some point, general purpose computers will start
    being blocked. Google no longer returns non-secure sites.
    Firefox blocks ftp sites and I believe http pages unless you
    go looking for options to set.

    Forcing everyone into a Cell Phone Type environment is the
    easiest way to spy on people and block "bad sites" and spam
    them with ads.

    So this plus other trends is starting to look like
    something like "First the came for..."
    FWIW, I hate using that analogy in this case, but it is
    the shortest way to type it.

    --
    [t]csh(1) - "An elegant shell, for a more... civilized age."
    - Paraphrasing Star Wars

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Richard Kettlewell@21:1/5 to John McCue on Sun Apr 13 19:07:27 2025
    John McCue <jmccue@magnetar.jmcunx.com> writes:
    Lawrence D'Oliveiro <ldo@nz.invalid> wrote:
    On Sat, 12 Apr 2025 14:06:58 -0000 (UTC), John McCue wrote:
    Plus include the fact that google and friends are trying to block
    'http' (no s) static sites, seems it is a continuation of a war on
    General Computing.

    I don’t know why you think general-purpose computers are incapable of
    secure communication through the Internet. Where do you think such
    secure communication got invented?

    Of course they can connect right now, but as time goes on
    I am sure at some point, general purpose computers will start
    being blocked. Google no longer returns non-secure sites.
    Firefox blocks ftp sites and I believe http pages unless you
    go looking for options to set.

    Why do you believe Firefox blocks http pages?
    (It does not block them by default.)

    --
    https://www.greenend.org.uk/rjk/

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Lawrence D'Oliveiro@21:1/5 to Richmond on Sun Apr 13 21:37:38 2025
    On Sun, 13 Apr 2025 16:27:07 +0100, Richmond wrote:

    Lawrence D'Oliveiro <ldo@nz.invalid> writes:

    The revenue-grab reason may backfire. For most purposes, a free cert
    service like Let’s Encrypt is quite sufficient, and it’s easy enough to >> set your system to run a cron task (or systemd timer) to auto-renew.
    This already happens by default on a Debian installation, for example.

    What about the increased load on the servers of all the extra renewals?

    With Let’s Encrypt, everything’s automated at their end, too.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Lawrence D'Oliveiro@21:1/5 to John McCue on Sun Apr 13 21:33:38 2025
    On Sun, 13 Apr 2025 17:39:56 -0000 (UTC), John McCue wrote:

    Lawrence D'Oliveiro <ldo@nz.invalid> wrote:

    On Sat, 12 Apr 2025 14:06:58 -0000 (UTC), John McCue wrote:

    Plus include the fact that google and friends are trying to block
    'http' (no s) static sites, seems it is a continuation of a war on
    General Computing.

    I don’t know why you think general-purpose computers are incapable of
    secure communication through the Internet. Where do you think such
    secure communication got invented?

    Of course they can connect right now, but as time goes on I am sure at
    some point, general purpose computers will start being blocked.

    I wonder how you think those sites are going to detect that your secure connection is coming from a “general-purpose computer”, and block it.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Lawrence D'Oliveiro@21:1/5 to All on Mon Apr 14 22:28:44 2025
    On Fri, 11 Apr 2025 22:32:56 -0000 (UTC), I wrote:

    For most purposes, a free cert service like Let’s Encrypt is quite sufficient ...

    Speaking of which, Let’s Encrypt are going to offer the option to shorten their certificate lifetimes, from the former 90 days down to as little as
    6 days <https://letsencrypt.org/2025/01/16/6-day-and-ip-certs/>.

    Since theirs is a free service, their motives are entirely to do with
    security. Why is such a short interval a good idea? Because it shortens
    the exposure window, should a certificate key become compromised.

    There is a mechanism called “certificate revocation”, but it tends to be cumbersome and troublesome. With such a short certificate lifetime, there
    will be less need for such a thing: if you suffer a certificate security breach, just immediately get a new certificate with a new key, and be extra-vigilant during the few days until the old one expires.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)