| It's actually far worse for smaller sites and organizations than large ones. Entire pricey platforms exist around managing certificates and renewals, and large companies can afford those or develop their own automated solutions. None of the platforms which I deal with will likely magically support automated renewal in the next year. I will likely spend most of the next year reducing our exposure to PKI. Smaller organizations dependent on off the shelf software will be killed by this. They'll probably be forced to move things to the waiting arms of the Big Tech cloud providers that voted for this. (Shocker.) And it probably won't help stop the bleeding. And again, there's no real world security benefit. Nobody in the CA/B has ever discussed real world examples of threats this solves. Just increasingly niche theoretical ones. In a zero cost situation, improving theoretical security is good, but in a situation like this where the cost is real fragility to the Internet ecosystem, decisions like this need to be justified. Unfortunately the CA/B is essentially unchecked power, no individual corporate member is going to fire their representatives for this, much less is there a way to remove everyone that made this incredibly harmful decision. This is a group of people who have hammers and think everything is a nail, and unfortunately, that includes a lot of ceramic and glass. |
| I think most orgs can get away with free ACME clients and free/cheap monitoring options. This will be painful for people in the short term, but in the long term I believe it will make things more automated, more secure, and less fragile. Browsers are the ones pushing for this change. They wouldn't do it if they thought it would cause people to see more expired certificate warnings. > Unfortunately the CA/B is essentially unchecked power, no individual corporate member is going to fire their representatives for this, much less is there a way to remove everyone that made this incredibly harmful decision. Representatives are not voting against the wishes/instructions of their employer. |
| |
| ▲ | ocdtrekkie 4 days ago | parent [-] | | I mean to give you an example of how far we are from this: IIS does not have built-in ACME support, and in the enterprise world it is basically "most web servers". Sure, you can add some third party thing off the Internet to do it, but... how many banks will trust that? Unfortunately the problem is likely too removed from understanding for employers to care. Google and Microsoft do not realize how damaging the CA/B is, and probably take the word of their CA/B representatives that the choices that they are making are necessary and good. I doubt Satya Nadella even knows what the CA/B is, much less that he pays an employee full-time to directly #### over his entire customer base and that this employee has nearly god-level control over the Internet. I have yet to see an announcement from the CA/B that represented a competent decision that reflected the reality of the security industry and business needs, and yet... nobody can get in trouble for it! | | |
| ▲ | dextercd 4 days ago | parent [-] | | Let's Encrypt lists 10 ACME clients for Windows / IIS. If an organisation ignores all those options, then I suppose they should keep doing it manually. But at the end of the day, that is a choice. Maybe they'll reconsider now that the lifetime is going down or implement their own client if they're that scared of third party code. Yeah, this will inconvenience some of the CA/B participant's customers. They knew that. It'll also make them and everyone else more secure. And that's what won out. The idea that this change got voted in due to incompetence, malice, or lack of oversight from the companies represented on the CA/B forum is ridiculous to me. | | |
| ▲ | ocdtrekkie 4 days ago | parent [-] | | > Let's Encrypt lists 10 ACME clients for Windows / IIS. How many of those are first-party/vetted by Microsoft? I'm not sure you understand how enterprises or secure environments work, we can't just download whatever app someone found on the Internet that solves the issue. | | |
| ▲ | dextercd 4 days ago | parent [-] | | No idea how many are first-party or vetted by Microsoft. Probably none of them. But I really, really doubt you can only run software that ticks one of those two boxes. Certify The Web has a 'Microsoft Partner' badge. If that's something your org values, then they seem worth looking into for IIS. I can find documentation online from Microsoft where they use YARP w/ LettuceEncrypt, Caddy, and cert-manager. Clearly Microsoft is not afraid to tell customers about how to use third party solutions. Yes, these are not fully endorsed by Microsoft, so it's much harder to get approval for. If an organisation really makes it impossible, then they deserve the consequences of that. They're going to have problems with 397 day certificates as well. That shouldn't hold the rest of the industry back. We'd still be on 5 year certs by that logic. | | |
| ▲ | ocdtrekkie 4 days ago | parent [-] | | [flagged] | | |
| ▲ | dextercd 4 days ago | parent [-] | | Stealing a private key or getting a CA to misissue a certificate is hard. Then actually making use of this in a MITM attack is also difficult. Still, oppressive states or hacked ISPs can perform these attacks on small scales (e.g. individual orgs/households) and go undetected. For a technology the whole world depends on for secure communication, we shouldn't wait until we detect instances of this happening. Taking action to make these attacks harder, more expensive, and shorter lasting is being forward thinking. Certificate transparency and Multi-Perspective Issuance Corroboration are examples of innovations without bothering people. Problem is, the benefits of these improvements are limited if attackers can keep using the stolen keys or misissued certificates for 5 years (plus potentially whatever the DCV reuse limit is). Next time a DigiNotar, Debian weak keys, or heartbleed -like event happens, we'll be glad that these certs exit the ecosystem sooner rather than later. | | |
| ▲ | ocdtrekkie 4 days ago | parent [-] | | [flagged] | | |
| ▲ | dang 3 days ago | parent [-] | | Can you please follow the site guidelines when posting to HN, regardless of how wrong anyone else is or you feel they are? You broke them more than once in this thread (e.g. in this comment, in https://news.ycombinator.com/item?id=43698063, and arguably in your root post to the thread too - https://news.ycombinator.com/item?id=43687459). I'm sure you have legit reasons to feel strongly about the topic and also that you have substantive points to make, but if you want to make them on HN, please make them thoughtfully. Your argument will be more convincing then, too, so it's in your interests to do so. |
|
|
|
|
|
|
|
|
