Are compromised private keys that big of a problem to cause all this headache?
Geez.
this post was submitted on 14 Apr 2025
38 points (97.5% liked)
Technology
2567 readers
557 users here now
Which posts fit here?
Anything that is at least tangentially connected to the technology, social media platforms, informational technologies and tech policy.
Rules
1. English only
Title and associated content has to be in English.
2. Use original link
Post URL should be the original link to the article (even if paywalled) and archived copies left in the body. It allows avoiding duplicate posts when cross-posting.
3. Respectful communication
All communication has to be respectful of differing opinions, viewpoints, and experiences.
4. Inclusivity
Everyone is welcome here regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, education, socio-economic status, nationality, personal appearance, race, caste, color, religion, or sexual identity and orientation.
5. Ad hominem attacks
Any kind of personal attacks are expressly forbidden. If you can't argue your position without attacking a person's character, you already lost the argument.
6. Off-topic tangents
Stay on topic. Keep it relevant.
7. Instance rules may apply
If something is not covered by community rules, but are against lemmy.zip instance rules, they will be enforced.
Companion communities
[email protected]
[email protected]
Icon attribution | Banner attribution
If someone is interested in moderating this community, message @[email protected].
founded 1 year ago
MODERATORS
This will keep getting shorter until it turns into a calculus problem.
You won't even get a certificate, just a token from some SSL token warehouse. Why should I trust it? Because some random company says so!
Lol, wouldn't put it past them. Like TLS session keys we have now, but every session key has to be requested from the SSL token warehouse.
There are lots of companies and vendors that don't automate cert renewal. They are all going to be forced into automation with this change.
The concern is that a compromised device could leak a cert that is then used for attacks.
The concern is that a compromised device could leak a cert that is then used for attacks.
Yeah. Everyone gets that.
The question was whether this is worth the damage seen in the wild thus far.
And I'm curious too: show me how it's not some market trying to FUD and FOMO us into yet more rigamarole for the sake of security and also sales. Security is rich in "better safe than sorry" snake oil.
Are we trading certs lasting 'too' long, a problem that may not yet exist, for a much harder problem of properly securing the renewal chain?
Are we going to have very secure keys but on code with 181 sploits in the supply chain, that we neither know about nor can fix because of rug-pulled compatibility if we did?
You can still use self signed certs. You just can't use it on the public internet.
You can, but it might scare off some of your audience.
Let's encrypt is about to get even more market share. Suddenly companies will have even less reasons to pay money for a cert.
God I hate this, dropping it to one year is fine but a month and a half? Fuck that shit.
Id you can use acme/cert boy it's fine. But some of us have to manage decades old equipment that doesn't support it and no we can't just put a reverse proxy in front we tried.
Complaining about job security, unbelievable... 🙃
And I'm over here with a internal only SSL cert that's good for 1000 years
We could be heading into daily (or hourly) cert auto-renewals. Clients will have to catch up. But one day, can see it all being hands-free.
What a pain in the ass. I will probably just disable HTTPS and use a VPN or SSH tunnel for my stuff then.
Jesus, dude… ACME is not hard to set up.
Setting up a VPN is far far more complex
Just use auto-renewal tools Duh.
This raises a good point. The path of least resistant typically becomes the norm.