Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
dextercd 4 days ago

If a CA or subscriber improves their security but had an undetected incident in the past, a hacker today has a 397 day cert and can reuse the domain control validation in the next 397 days, meaning they can MITM traffic for effectively 794 days.

CAs have now implemented MPIC. This may have thwarted some attacks, but those attackers still have valid certificates today and can request a new certificate without any domain control validation being performed in over a year.

BGP hijackings have been uncovered in the last 5 years and MPIC does make this more difficult. https://en.wikipedia.org/wiki/BGP_hijacking

New security standards should come into effect much faster. For fixes against attacks we know about today and new ones that are discovered and mitigated in the future.

xyzzy123 3 days ago | parent | next [-]

People who care deeply about this can use 30 day certs right now if they want to.

dextercd 3 days ago | parent [-]

Sure, but it's even better if everyone else does too, including attackers that mislead CAs into misissuing a cert.

CAs used to be able to use WHOIS for DCV. The fact that this option was taken away from everyone is good. It's the same with this change, and you have plenty of time to prepare for it.

xyzzy123 3 days ago | parent [-]

> including attackers that mislead CAs into misissuing a cert.

I thought we had CT for this.

> CAs used to be able to use WHOIS for DCV. The fact that this option was taken away from everyone is good.

Fair.

> It's the same with this change, and you have plenty of time to prepare for it.

Not so sure on this one, I think it's basically a result of a security "purity spiral". Yes, it will achieve better certificate hygiene, but it will also create a lot of security busywork that could be better spent in other parts of the ecosystem that have much worse problems. The decision to make something opt-in mandatory forcibly allocates other people's labour.

dextercd 3 days ago | parent [-]

CT definitely helps, but not everyone monitors it. This is an area where I still need to improve. But even if you detect a misissued cert, it can not reliably be revoked with OCSP/CRL.

--

The maximum cert lifetime will gradually go down. The CA/B forum could adjust the timeline if big challenges are uncovered.

I doubt they expect this to be necessary. I suspect that companies will discover that automation is already possible for their systems and that new solutions will be developed for most remaining gaps, in part because of this announced timeline.

This will save people time in the long run. It is forced upon you, and that's frustrating, but you do have nearly a year before the first change. It's not going down to 47 days in one go.

I'm not saying that no one will renew certificates manually every month. I do think it'll be rare, and even more rare for there to be a technical reason for it.

3 days ago | parent | prev [-]
[deleted]