undefined | Better HN

0 pointsdanesparza1mo ago0 comments

An expired cert is a smell. It shows somebody isn't paying attention.

And a short expiration time absolutely increases security by reducing attack surface.

0 comments

Or that someone asked to renewed it, one of their four bosses didn't sign off the apropriate form, the only person to take that form to whoever does the certs is on a vacation, person issuing certs needs all four of his bosses to sign it off, and one of those bosses has been DOGE-ed and not yet replaced.

expired letsencrypt cert on a raspberrypi at home smells of not paying attention... with governments, there are many, many points of failure.

hananova1mo ago

The whole point of these shorter certificate durations is to force companies to put in automation that doesn't require 14 layers of paperwork. Some companies will be stubborn, and will thus be locked in an eternal cycle of renew->get paperwork started for renew. Most will adapt.

ajsnigrutin1mo ago

It's the government... they have 30 different services just in that department, made by 30 different companies with 30 different support companies, two of those don't exist anymore, 3 have been bought by cisco, two by google, 2 services are behind some old palo alto web proxy that's centrally managed by some other department, one service is written in cobol, one requires the cert to be on a usb flash drive and another on a memory stick.

It's cheaper to pay someone just to take care of the certs (unless their bosses and procurement and accounting messes up) than to fix all that.

I've seen government stuff, i wouldn't touch it with a 5m pole.

hananova1mo ago

I don't see how any of that is the CA's problem. As far as I'm concerned, the CA's and browser vendors are entirely in the right to go "Here's the new rules. Adapt. Or don't, we don't care."

1 more reply

danesparzaOP1mo ago

Humbly, I disagree with you. What better use of our tax dollars than to automate away as many problems as we can?

dmitrygr1mo ago

It did until it got so short that it created a new potential attack surface — the scripts everyone is using to auto update them.

organsnyder1mo ago

Compared to the manual processes these scripts replaced, I'd put more trust in the automations.

dmitrygr1mo ago

And the original article shows you how that is going

j / k navigate · click thread line to collapse

0 comments

ajsnigrutin1mo ago

expired letsencrypt cert on a raspberrypi at home smells of not paying attention... with governments, there are many, many points of failure.

hananova1mo ago

ajsnigrutin1mo ago

It's cheaper to pay someone just to take care of the certs (unless their bosses and procurement and accounting messes up) than to fix all that.

I've seen government stuff, i wouldn't touch it with a 5m pole.

hananova1mo ago

I don't see how any of that is the CA's problem. As far as I'm concerned, the CA's and browser vendors are entirely in the right to go "Here's the new rules. Adapt. Or don't, we don't care."

1 more reply

danesparzaOP1mo ago

Humbly, I disagree with you. What better use of our tax dollars than to automate away as many problems as we can?

dmitrygr1mo ago

It did until it got so short that it created a new potential attack surface — the scripts everyone is using to auto update them.

organsnyder1mo ago

Compared to the manual processes these scripts replaced, I'd put more trust in the automations.

dmitrygr1mo ago

And the original article shows you how that is going

j / k navigate · click thread line to collapse