Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Cloud

Millions Experience Browser Problems After Long-Anticipated Expiration of 'Let's Encrypt' Certificate (zdnet.com) 94

"The expiration of a key digital encryption service on Thursday sent major tech companies nationwide scrambling to deal with internet outages that affected millions of online users," reports the Washington Examiner.

The expiring certificate was issued by Let's Encrypt — though ZDNet notes there's been lots of warnings about its pending expiration: Digital Shadows senior cyber threat analyst Sean Nikkel told ZDNet that Let's Encrypt put everyone on notice back in May about the expiration of the Root CA Thursday and offered alternatives and workarounds to ensure that devices would not be affected during the changeover. They have also kept a running forum thread open on this issue with fairly quick responses, Nikkel added.
Thursday night the Washington Examiner describes what happened when the big day arrived: Tech giants — such as Amazon, Google, Microsoft, and Cisco, as well as many smaller tech companies — were still battling with an endless array of issues by the end of the night... At least 2 million people have seen an error message on their phones, computers, or smart gadgets in the past 24 hours detailing some internet connectivity problems due to the certificate issue, according to Scott Helme, an internet security researcher and well-known cybersecurity expert. "So many people have been affected, even if it's only the inconvenience of not being able to visit certain websites or some of their apps not working," Helme said.

"This issue has been going on for many hours, and some companies are only just getting around to fixing it, even big companies with a lot of resources. It's clearly not going smoothly," he added.

There was an expectation before the certificate expired, Helme said, that the problem would be limited to gadgets and devices bought before 2017 that use the Let's Encrypt digital certificate and haven't updated their software. However, many users faced issues on Thursday despite having the most cutting-edge devices and software on hand. Dozens of major tech products and services have been significantly affected by the certificate expiration, such as cloud computing services for Amazon, Google, and Microsoft; IT and cloud security services for Cisco; sellers unable to log in on Shopify; games on RocketLeague; and workflows on Monday.com.

Security researcher Scott Helme also told ZDNet he'd also confirmed issues at many other companies, including Guardian Firewall, Auth0, QuickBooks, and Heroku — but there might be many more beyond that: "For the affected companies, it's not like everything is down, but they're certainly having service issues and have incidents open with staff working to resolve. In many ways, I've been talking about this for over a year since it last happened, but it's a difficult problem to identify. it's like looking for something that could cause a fire: it's really obvious when you can see the smoke...!"

Digital certificates expert Tim Callan added that the popularity of DevOps-friendly architectures like containerization, virtualization and cloud has greatly increased the number of certificates the enterprise needs while radically decreasing their average lifespan. "That means many more expiration events, much more administration time required, and greatly increased risk of a failed renewal," he said.

This discussion has been archived. No new comments can be posted.

Millions Experience Browser Problems After Long-Anticipated Expiration of 'Let's Encrypt' Certificate

Comments Filter:
  • Who is at fault? (Score:5, Insightful)

    by jmcbain ( 1233044 ) on Saturday October 02, 2021 @08:51PM (#61855041)
    I encountered problems related to this issue a few days ago on my old MacBook Air from 2017 running Sierra (10.12) . About half the websites I visited showed errors, including Slashdot. My Chrome browser showed the message: NET::ERR_CERT_DATE_INVALID. I'm sure previous SSL root certificates have expired on the Internet before. Why did this one have such a large impact?

    Regarding my MacBook Air, who is at fault with this error?

    The MacOS operating system? Is it supposed to self-update certificates? Do I need to manually install a new certificate?

    The Chrome browser?

    The Let's Encrypt organization?

    My ISP (Comcast)?

    The websites I'm visiting? ESPN, Slashdot, etc.?

    • The WebHost should fix the issue. This is not a user failure or generally even software. Some software I believe has the certificates embedded which is one of the reasons old software is mentioned.

      The error your browser gives points to the fault of the host. No update on the browser or your side can resolve the issue...

      • Re: Who is at fault? (Score:5, Informative)

        by jrumney ( 197329 ) on Saturday October 02, 2021 @10:51PM (#61855205)

        Letsencrypt brought short lived certificates to the web. Their rise coincided with widespread use of https for websites that didn't need high security, so their use is widespread. They weren't initially in the trusted root lists of browsers and other software, so their root was signed by other providers to make it trusted in existing browsers. It is one of those other providers' certificates that expired on September,30th, and the other one they use that is OK until 2023 only started appearing in trusted root lists in 2017. Their own root certificate came a bit later to trusted root lists.

      • 100%, I have to explain this type of failure a couple of times a year when we clients run into cert issues and try to blame us. There was one time, last year, a cert expired for Atlassian which took out our Jira, Confluence, and BitBucket, it was shocking how many times I had to explain that Atlassian had to fix the issue. After ~1 hour of downtime I brought in Atlassian customer service, who didn't understand that it was an issue on their side, and actually recommended a browser update!
    • by jmccue ( 834797 )

      This caused an issue with OpenBSD, a patch was released on the 30th to address the problem

      https://ftp.openbsd.org/pub/Op... [openbsd.org]

      Before the patch I had minor issues accessing IMAP email, after I applied the patch, all good. Other people had issues trying to down load the patch.

    • The person who decided to go with Let's Encrypt. They knew this would happen.
    • Re:Who is at fault? (Score:4, Informative)

      by skoskav ( 1551805 ) on Saturday October 02, 2021 @10:18PM (#61855171)

      Assuming you have kept the OS up-to-date, it sounds like a bug in the TLS library used by the browser. It doesn't seem to handle cross-signed root certificates correctly.

      Let's Encrypt's root certificate (also called ISRG) was cross-signed by IdenTrust. This is a common industry practice to help establish new roots. The expiration of IdenTrust's root shouldn't have been an issue because your OS or browser likely trusts Let's Encrypt's cross-signed root as well, but it seems that the TLS library used tries to validate the entire certificate chain, not just the certificate chain from the first known trusted root Let's Encrypt.

      • by jrumney ( 197329 )

        In many cases there are no options for keeping the OS up to date. My company made an Android device back in the Android 2.3 days that still has a few thousand devices out in the wild. Hardware vendors are unwilling to support drivers for upgrading to a more recent version, and early versions of Android 4 were less stable than Android 2.3, until 4.4 became the next stable point with lots of devices stuck on it as well, but that required a dual core SoC for the UI performance improvements, so single core d

        • Why would you have outdated and unsupported hardware connected to the internet? Do you also go an a wild sex spree with south African prostitutes and no condom in sight? Do you chose to not vaccinate against COVID and run around licking handrails during the pandemic?

          • This is why so many industrial control system PLCs have no security. Because f* you if I have to rip out a few million dollars worth of equipment every few years. Just so some tweens can keep posting selfies to some college perverts "Hot Chicks on Campus" web site.

          • by Sigma 7 ( 266129 )

            Why would you have outdated and unsupported hardware connected to the internet?

            Because there's the rare software that needs Windows 9x, and most users want to install basic software on that OS for it to be usable.

            When I'm running this special case, I know what I'm doing. I'd rather be able to do what I need, rather than have to troubleshoot what should be a basic protocol and struggle by finding a workaround.

            Also, since forever, most outdated hardware and software can be put behind a firewall, which is more

    • by Sigma 7 ( 266129 ) on Saturday October 02, 2021 @10:39PM (#61855189)

      Who's at fault? The protocol/implementation designers.

      The original intent of that protocol was to say that it's end-to-end secure with no unexpected MITM, with the browser complaining should there be a missing certificate.

      Let's Encrypt, HTTPS Everywhere, and similar projects want everything encrypted. Consequently, every site needs a certificate pre-signed by Lets Encrypt. If they decide to shut down, that cascades into many other sites not having a valid certificate.

      There was some project to do a "verified secure" with a green lock symbol, to distinguish really trusted certificates rather than just random HTTPS. Google decided to drop that.

      And after all that, there's plenty of websites that rely on HTTPs as just encryption (satisfiying most user's intent) instead of authentication (which is expected by the protocol) - for something that was presented to the user as "people can't see what you submit on this form" back in the Netscape 2.0 era.

      • by arglebargle_xiv ( 2212710 ) on Sunday October 03, 2021 @12:48AM (#61855355)

        Yup. This is failure by design. The Web PKI is designed around the concept of certificates expiring and expiring and expiring in order to ensure a continuous revenue stream for the gatekeepers, the CAs. This isn't an implementation issue or a technical problem, it's this way because it was designed to be this way. In particular for any kind of IoT, which is supposed to run unattended forever, a TLS-enblement mechanism that shuts itself down every twelve months (end-entity certs) or every few years or even decades (CA certs) is totally, utterly wrong.

        However, the fact that it's totally unsuited to the task won't stop the Web PKI from being pushed into everything anyway.

        • There's nothing stopping you from generating a cert with a 100 year expiry for these situations.

          The problem seems to me to be that browsers reject certs older than a year.

    • Chrome uses the certificate store of the host operating system, which means your Mac OS is where the problem lies. Unless Apple pushes out updates to your machine that include new root certificates, your browser won't recognize the chain of trust. I don't really know Mac OS, but I suspect that you can install your own certificates on it, as is common in all TLS stacks I have worked with (windows, openssl, java, etc) so you can just manually add the needed root certificate.

    • by Behrooz ( 302401 )

      MacOS Sierra was end-of-life in 2019.

      This means Apple has not been updating the associated certificates... since 2019.

      EOL OS = no updates for root/intermediate certs. If you want to use a device that is out of support, expect bad things to happen. Expiring certificates is by far the most benign outcome...

    • Re: (Score:1, Flamebait)

      by Kisai ( 213879 )

      This is directly the fault of Google, Microsoft and Firefox for jumping on the HTTPS bandwagon with their browsers and not supporting the entirety of H2 (namely the unencrypted mode.)

      Thus H2 was held hostage by requiring all sites to be also be HTTPS.

      Then Google made it worse by making all ads have to be HTTPS. All other ad vendors followed suit.

      Then Google made it even worse by labeled non-HTTPS sites as dangerous.

      Users should have always had the option to ignore the certificate or use the non-HTTPS versio

      • To be fair, without https it's not at all difficult to MitM youtube and pass through the actual page so that most users aren't even aware. Youtube is a pretty juicy target for such things. But by all means, make it about tracking and ads, as if they aren't fully capable of doing that on a regular http connection anyhow.
    • I changed the servers to send out the full chain and the problem was resolved. So, for at least a subset, I would say it is then entity operating the server.
    • I dealt with this on my MB Air and Pro running El Capitan, you just need to download and import the certificate into Keychain and you'll be right.

      Chrome uses the system's certificate store, whereas Firefox uses its own - I didn't realise that at first and was really confused about why one worked and not the other. But the fix for you is actually really really simple, download the cert, add it to keychain, and set it to trusted. You download it from letsencrypt: letsencrypt dot org slash certs slash isrgroo

    • The answer is difficult to hear, but simply: YOU are at fault. And it's a good thing.

      Your operating system provides a bunch of pre-installed certificates, saying basically "We trust these certificates, and provide them hoping they are useful." You are free to remove any of them or mark them as untrusted, you are free to add to them and make any other certificate marked as trusted. They will update certificates that are still trusted as a convenience for the bulk of the users, but ultimately it is not the

    • by amorsen ( 7485 )

      who is at fault with this error?

      The TLS protocol, for not allowing the use of multiple certificate authorities like GPG does.

      If we could all sign our sites with multiple authorities, it would not be a major problem if one has an issue.

  • by WoodstockJeff ( 568111 ) on Saturday October 02, 2021 @09:01PM (#61855053) Homepage

    Digital certificates expert Tim Callan added that the popularity of DevOps-friendly architectures like containerization, virtualization and cloud has greatly increased the number of certificates the enterprise needs while radically decreasing their average lifespan. "That means many more expiration events, much more administration time required, and greatly increased risk of a failed renewal," he said.

    I had to renew a certificated in August that was quite the nightmare. The certificate itself was issued by an enterprise that has a contract with a certificate authority to act as an intermediary. However, they clicked on the wrong button when issuing this one, and issued an internal certificate instead of a public-facing one, and it took almost a month for anyone to figure out why it didn't work.

    At the end of the process, I had a talk with someone who is involved with this professionally, like Mr. Callan, and I was warned to expect greater havoc as Apple and Google push harder to make ALL certificates last 100 days or less, like Let's Encrypt.

    Fortunately, the process I've been using for a decade is possible to automate, as long as no one screws things up like they did in August.

    • Seems the heart of the matter should be certificate management, after all certificates aren't going away, and if they're going to be expiring even faster, that'll just make it all the more important.

      • by mysidia ( 191772 )

        We need a "certificate alert" state where applications will start to warn Less-Disruptively when any cert they are relying upon is 48 hours from expiration, and also for Intermediary signing certs: A URL attribute for clients and servers to automatically attempt to retrieve a new version, when it's close to expiration.

        • by Behrooz ( 302401 ) on Sunday October 03, 2021 @01:33AM (#61855405)

          Certificate expiration really only matters to sysadmins. End users don't know what to do or who to tell if something is expiring.

          To solve this problem, I wrote a python script that iterates over the set of certificates that have been issued to my organization (easily available from the CA) and attempts to https handshake with all of the CNs and SANs associated with certificates that are approaching expiration. This runs as a recurring jenkins job that notifies my team for anything that replies with a certificate that is expiring soon.

          This has saved my ass several dozen times since I inherited responsibility for a couple hundred random virtual hosts along with my current position, some of which were legacy services that nobody still employed knew about until the alert popped up.

          The real problem is oddball/backend services that use TLS but don't answer incoming https connections on 443-- https handshakes don't find those.

          • To solve this problem, I wrote a python script that iterates over the set of certificates that have been issued to my organization (easily available from the CA) and attempts to https handshake with all of the CNs and SANs associated with certificates that are approaching expiration. This runs as a recurring jenkins job that notifies my team for anything that replies with a certificate that is expiring soon.

            This has saved my ass several dozen times since I inherited responsibility for a couple hundred random virtual hosts along with my current position, some of which were legacy services that nobody still employed knew about until the alert popped up.

            The real problem is oddball/backend services that use TLS but don't answer incoming https connections on 443-- https handshakes don't find those.

            Ninja & Ghost Certificate Source Tracking

            Good job writing an automation process to pull and check the certificates of your endpoints issued by your CA. You're lucky to have been able to enumerate the certificates issued by your CA. I wasn't so lucky...

            In the organization that I work for currently we had a similar problem but a much worse one. We had outage events a few times a year due to certificate expiration on various servers and also applications due to certificates expiring, except that these

          • by AmiMoJo ( 196126 )

            It matters to end users in the sense that the faster they expire the less likely the end user is to get ripped off.

    • ...I had a talk with someone who is involved with this professionally, like Mr. Callan, and I was warned to expect greater havoc as Apple and Google push harder to make ALL certificates last 100 days or less, like Let's Encrypt.

      That actually might improve things. If all certificates only last 100 days, then renewing them will become routine for both users and CAs. That should help reduce the errors over time as people get used to the process and failure points are found and fixed.

    • by Anonymous Coward

      This issue is not caused by normal certificates that expire quickly. It's because a root CA was totally deprecated. In other words, no new cert was issued for the root when it expired. This is a big deal.

      This doesn't happen very often (like never) so it's something a lot of software doesn't expect.

      Arguably this is partly Let's Encrypt's fault for not using a proper root CA then pushing it out to software vendors. They wanted to jump-start their system by using a CA already accepted by most software and this

    • I'm sure you have a reason for not just using Cloudflare...
    • Curious - I can't find any evidence of Apple or Google lobbying for an even further certificate expiration shortened timeline. Do you happen to have any links/references you could share?

  • I have found this to be one of the hardest things to explain to non-technical users. What are some creative ways to explain this to them? I think it is complex because there is a lot of finger-pointing going on for who is at fault. It is a very complex issue. Originally I felt it was more on users who haven't updated their OS but we had reports of users on newer OS versions having this issue. So who is really to blame? We quickly replaced our certificate with another provider but this is not the best solut
    • "Shits on fire, yo."

      Seriously though, I'm of average "technical" ability and my eyes gloss over when it comes to SSL, root certificates, and all the rest of it. Explain to a technical person who doesn't spend time with SSL implementation...
    • Shouldn't one be able to search for the old certificate, and replace it if needed?

    • by sjames ( 1099 )

      There's plenty of blame to go around. Starting with the whole certificate system being designed to be fragile and depend on "Authorities" to work. Then there's the browsers for insisting on shorter and shorter lived certificates and refusing to implement pinning even though it would make things more secure. Also for forgetting that the software is supposed to do what I say, not the other way around. Then the OS and firmware vendors for not providing a timely update and for not making it simple for the user

      • Also for forgetting that the software is supposed to do what I say, not the other way around.

        Yep. The newest versions of Chrome no longer have a button to let you override and go to site with an expired certificate. The certificate's broken? You're not going there even if it's just pictures of kittens.

    • by mysidia ( 191772 )

      Originally I felt it was more on users who haven't updated their OS but we had reports of users on newer OS versions having this issue.

      The previous CA who signed LetsEncrypt's root was totally deprecated - making that version of the ISRG X1 Root certificate invalid.

      Web hosts needed to erase all copies of Intermediary certificates and Root certificates from the Previous CA, and Install the new copy of the intermediate signing certs signed by the SELF-Signed version of the ISRG X1 Root certificate. Pr

      • by ahodgson ( 74077 )

        Yeah but Let's Encrypt is still providing the old root in their certificate bundles because they think it'll make old Android devices keep working.

        And apparently there are a lot of people running Windows with updates turned off, or Macs they haven't updated since 2016. Christ this has been a pain.

    • by skoskav ( 1551805 ) on Saturday October 02, 2021 @11:24PM (#61855263)

      My best attempt at a low-tech explanation for this would be to step through how certificate chain validation works, and why it failed in this specific case.

      When a web browser visits a site like slashdot.org that uses the default certificate strategy from Let's Encrypt, this is how the browser will fail validating its valid certificate:

      1. The website send us its leaf certificate for slashdot.org, signed by another certificate calling itself R3. This leaf certificate hasn't expired, but we have no reason to trust it, so let's try to validate the certificate for R3

      2. The website also sent us the certificate R3, signed by another certificate ISRG Root X1. This R3 hasn't expired, but we have no reason to trust it either, so let's try to validate ISRG Root X1

      3. We were not given the certificate ISRG Root X1, but my OS in 2017 had an update that added this certificate in a store of trusted certificates. It was also signed by another certificate DST Root CA X3 to speed up its adoption. This ISRG Root X1 hasn't expired, and my OS trust it, so I ought to trust slashdot.org, but let's for some reason try to validate DST Root CA X3 as well

      4. We were not given the certificate DST Root CA X3, but my OS came with this certificate pre-installed, It expired on 2021-09-30 though, so I can't use this for validating anything.

      So by step 3 we knew were done. Why did we keep looking for certificates after that? Software developers of TLS libraries used to wonder the same thing, and fixed this issue a few years ago in their code. Not everything hooked up to the Internet runs updated software though, which is why Let's Encrypt tried to warn [letsencrypt.org] developers in January about upgrading affected TLS libraries:
      * OpenSSL < 1.1.0
      * LibreSSL < 3.2.0
      * GnuTLS < 3.6.14

      • This is exactly it, ambiguity with cross-signing verification that wasn't resolved until recent releases of SSL/TLS libraries.

      • by nyet ( 19118 )

        `openssl verify`, however (even openssl post 1.1.0), will still fail to verify a server cert with a provided fullchain.pem without the -partial_chain or -trusted_first option.

        LibreSSL (all versions) `openssl verify` is totally worthless, and can never be convinced to do the right thing.

        The other option is to issue your certs with certbot --preferred-chain to tell certbot to omit the ISRG Root X1 cert, which says it was issued by DST Root CA X3, and only include the R3 cert.

        • `openssl verify`, however (even openssl post 1.1.0), will still fail to verify a server cert with a provided fullchain.pem without the -partial_chain or -trusted_first option.

          Hmm, are you sure about this? I'm not aware of the command for checking an entire chain file at once, but I've learnt to always use this command:
          $ openssl verify -verbose -no-CApath -no-CAfile -CAfile <(cat isrg-root-x1.pem dst-root-x3.pem) -untrusted r3.pem slashdot.org.pem
          slashdot.org.pem: OK
          $ openssl version -a
          OpenSSL 1.1.1f 31 Mar 2020
          built on: Mon Aug 23 17:02:39 2021 UTC
          platform: debian-amd64

          • by nyet ( 19118 )

            yes, -untrusted along with -CAfile works, but defeats the purpose of openssl verify, if i'm understanding your usage correctly, since it can't be used as a general purpose verification tool, for example, in CI or monitoring where not all certs are LE.

            It would be more useful if `openssl verify -CAfile fullchain.pem cert.pem` always worked, regardless of the cert, by assuming fullchain.pem was self-contained (such that it could also be used to check entirely self signed, non public CA signed chains)

      • by blueos ( 1402347 )
        In 2035, ISRG Root X1 will expire... game over for your (old) devices.
        Only dreamers think that manufacturers will provide an update before the certificates expires for the computers or other devices bought this year.

        Tic tac tic tac tic tac

        Broken by design [TM]
    • Hell, I’m a technical user and did not really understand what to do to maintain service continuity. For a system that provides so little real security, it sure is a mess.

    • "When this happens, add a permanent exception and move on." If the system won't get fixed until it's truly broken, you have to break it some more.

    • They changed the guard at the door and you have to teach the new guard who you are or they won't let your visitors in because the guard doesn't know who they have an appointment with.

    • Letâ(TM)s encrypt are to blame. To become a trusted CA by all users, you need to get your root CA installed for every browser on every device. Obviously there were billions of existing devices when letâ(TM)s encrypt was created, and none of them trusted letâ(TM)s encrypt, and many would never be updated. So letâ(TM)s encrypt got their CA âoecross signedâ by an existing CA that everyone already trusted, making all users trust them because they fell under the existing trust of
  • by aerogems ( 339274 ) on Saturday October 02, 2021 @09:26PM (#61855091)

    We keep having these examples of the dangers of the growing centralization of the Internet, but a month from now, I'm sure absolutely nothing will have done to prevent this sort of thing from ever happening again. There will still only be 2-3 major hosting companies, 2-3 major CDNs, and so on, until there's another merger season, then we may be left with only one major player in a given category.

    • This particular issue is very distantly related to centralization though. I would rather suggest these more specific issues:

      1. TLS libraries have bugs [letsencrypt.org] in how they validate certificates. People will keep hooking up software with outdated dependencies to the Internet as long as it's possible to.

      2. Certificates that end up being pinned or hard-coded by software often have a ludicrously long lifespan of 15-30 years. By the time one such certificate nears expiration people either weren't expecting it, or are unf

    • We keep having these examples of the dangers of the growing centralization of the Internet

      You realise that this entire thing occurred as the result of adding an additional trusted root right? This is very literally an example of *decentralisation*. Let'sEncrypt now no longer relying on IdenTrust.

      I'm sure absolutely nothing will have done to prevent this sort of thing from ever happening again.

      I hope we see this issue come up again. Because I don't like centralisation and we should not be reliant on just a few root authorities.

      There will still only be 2-3 major hosting companies

      What's a hosting company? Is that a thing people use when they don't know how to internet themselves?
      I do agree with you on CDNs, but until you fork out the literal bill

      • by tepples ( 727027 )

        What's a hosting company? Is that a thing people use when they don't know how to internet themselves?

        Or when ISPs make it impractical for a subscriber to internet themself, either because of the IPv4 address shortage or just to make inbound ports an upsell.

  • by lucifer_666 ( 662754 ) on Saturday October 02, 2021 @09:39PM (#61855109)

    On one site I look after running Exchange with LetsEncrypt certificates, the certificate is updated every month and had been migrated to the new certificate chain several months ago. For 9 out of 10 users, there was no impact, but for one iPhone X user, the certificate error popped up. Despite updating the phone to the latest OS and ensuring all apps were up to date, the problem persisted. The solution was to delete the account from the phone and add it back.

    Strange thing is, two others users had the same phone, and did not experience a problem. It appeared to me the phone in question had cached an older certificate and was trying to use that. You would think the client would check for an updated certificate on every connection attempt, but apparently not in some cases.

  • ... and offered alternatives and workarounds ...

    I'm guessing "Let's Decrypt" wasn't one of them.

  • The only problem I encounter is dropped connection from FuckCharter.net
  • I did saw the warning, I did read it carefully this summer but Let's Encrypt did downplay the scope of it greatly. According to the document https://letsencrypt.org/docs/d... [letsencrypt.org] only a handfly of super old device would not work. That's is clearly not the case. And for that, I blame Let's encrypt! Personally I could not fix every single device so I had to turn to another certificate provide. My "outside of the box" view tell me that the WHOLE CONCEPT OF EXPIRATION is pretty ridiculous. ALL our device / gadget
    • by mysidia ( 191772 )

      My "outside of the box" view tell me that the WHOLE CONCEPT OF EXPIRATION is pretty ridiculous.

      It's pretty important for end-entity certs, because the system allowing certs to be revoked is majorly limited - and use of short-term expiration is a much more effective less-resource intensive (on the CAs' resources) manner of making sure retired certificates are invalidated.

      Expiration exists mainly for important security reasons as issuance policies and minimum key lengths, etc needed for strong authenticity,

      • If it provided real security, sure. Most of the certs today are just compliance certs— the functional role they play is trivial. There is no good reason for my internal home automation system to need a new cert every 90 days.

      • by JcMorin ( 930466 )
        Why the whole revoke process then ? How logical it is to have a root certificate expired in 30 years from now? MAYBE then last end certificat could expired but the root one are totally illogical. If you are dealing with that long enough, it's a total mess. I'm pretty sure the only reason they made then expirated is to somehow sell more of those.
    • Erh... that's a terrible idea.

      The whole "at some point companies discontinue products" is the whole reason for that experiation date. Because past that discontinue date, they don't give a fuck about their product anymore. Including the certificate they use. Now imagine that certificate getting into the wrong hands.

      That experiation date at least ensures that at SOME point in time, even a hacked certificate loses its ability to cause damage.

      If anything, allow people to explicitly ignore expiration dates. If t

      • by JcMorin ( 930466 )
        So it make sense that it expired so it will stop some day the hacker to use it? Those root certificat live for 20-30 years, that's pretty weak argument I would say. I'm really talking about those root certificate expiration are pre-install on the device.... as they expired the device will failed unless it get updated somehow. Thing about all those small gadget IOT like doorbell and refrigerator, how likely the company will maintain them for 20 years? How likely you will get updated root update? Those device
  • Digital certificates expert Tim Callan added that the popularity of DevOps-friendly architectures like containerization, virtualization and cloud has greatly increased the number of certificates the enterprise needs while radically decreasing their average lifespan. "That means many more expiration events, much more administration time required, and greatly increased risk of a failed renewal," he said.

    Good. If it hurts, do it more frequently, and bring the pain forward.

    A significant part of why this root ce

  • The expiration of a key digital encryption service on Thursday sent major tech companies nationwide scrambling to deal with internet outages that affected millions of online users

    Huh, I honestly had not noticed, have seen no issues so f#&*$3*#$!& NO CARRIER

  • As someone who has been having to (unnecessarily) explicitly add the entire cert chain to servers to cater for Linux, macOS, iOS and Android users with outdated trust stores, I can confidently say this is where Microsoft's generally loose cannon telemetry data collection makes sense. Their mass data grab from people who have their systems set to Full (or Optional) telemetry collection allowed them to dodge this bullet by having the OS do the right thing, even in cases where webservers were still explicitly
  • Before, we only had link rot taking down pages off the internet. Now we get to see whole domains going dark when certificates expire.

    • by tepples ( 727027 )

      Whole domains go dark when hosting plans expire and when domain name registrations expire.

  • There was an expectation before the certificate expired.... And they let it happen.

Software production is assumed to be a line function, but it is run like a staff function. -- Paul Licker

Working...