360
submitted 3 days ago by misk@sopuli.xyz to c/technology@lemmy.world
top 50 comments
sorted by: hot top controversial new old
[-] JaddedFauceet@lemmy.world 26 points 2 days ago

What is the use case or benefit for the server admin?

as a server admin I wouldn't want to keep renewing my cert.

can anyone help to explain?

[-] frezik@midwest.social 39 points 2 days ago

Lets Encrypt certs tend to be renewed by a cronjob, anyway. The advantage is that if someone gets your cert without your knowledge, they have, at most, six days to make use of it.

[-] Blackmist@feddit.uk 24 points 2 days ago

If they get it without your knowledge, what are the odds they can get the new one too?

If they got it with your knowledge, can't you just revoke the old one?

[-] lud@lemm.ee 11 points 2 days ago

If they got it with your knowledge, can’t you just revoke the old one?

Yeah, but unfortunately cert revocation isn't that great in practice. Lots of devices and services don't even check the revocation lists on every connection.

[-] ivanafterall@lemmy.world 7 points 2 days ago

I've been using the Swiss Cheese Model for my sandwiches and they've been a disaster.

[-] echodot@feddit.uk 3 points 1 day ago

You have to scramble the slices, otherwise the holes all line up and your mayonnaise falls out.

[-] eugenevdebs@lemmy.dbzer0.com 3 points 2 days ago

6 days to do what you want to do to the page and its visitors. I guess that's good?

load more comments (1 replies)
load more comments (9 replies)
[-] 486@lemmy.world 108 points 3 days ago

I understand their reasoning behind this, but I am not sure, this is such a good idea. Imagine Letsencrypt having technical issues or getting DDoS'd. If the certificates are valid for 90 days and are typically renewed well in advance, no real problem arises, but with only 6 days in total, you really can't renew them all that much in advance, so this risk of lots of sites having expired certificates in such a situation appears quite large to me.

[-] frezik@midwest.social 5 points 2 days ago* (last edited 2 days ago)

I volunteer to help with IT at a makerspace, and I hesitate to go for 6 day expiration times. As volunteers, we can't always fix problems in a timely way like paid IT staff could. We try to automate the hell out of everything, but certs have gone a day or two without getting updated before.

load more comments (11 replies)
[-] hsdkfr734r@feddit.nl 90 points 3 days ago

When I look at the default list of trusted CAs in my browser, I get the feeling that certificate lifetimes isn't the biggest issue with server certificates.

[-] errer@lemmy.world 22 points 3 days ago

The sites I have most frequently have had to add expired certificates to use are US government websites. Particularly those affiliated with the military branches. It’s sad.

[-] rottingleaf@lemmy.world 25 points 3 days ago

People who'd abuse trust into centralized PKI system are not real, they can't hurt you, because if they abuse it, said system's reputation will fall to zero, right?

Except it's being regularly abused. LOL. And everybody is using it.

load more comments (13 replies)
[-] Valmond@lemmy.world 6 points 2 days ago

Since I set up a https website (lemmy) and had to deal with the hassle of certificates, I do wonder why you need another entity to churn out what's basically a RSA key pair?

Is it this you must trust the government again or is there some better reasons for it?

[-] AHemlocksLie@lemmy.zip 24 points 2 days ago

It's to make sure you're actually reaching your intended endpoint. If I'm visiting a site for the first time, how do I know I actually have THEIR certificate? If it's self generated, anybody could sign a certificate claiming to be anybody else. The current system is to use authority figures who validate certificates are owned by the site you're trying to visit. This means you have a secure connection AND know you're interacting with the correct site.

load more comments (28 replies)
load more comments
view more: next ›
this post was submitted on 16 Dec 2024
360 points (97.9% liked)

Technology

60000 readers
2070 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 2 years ago
MODERATORS