IT admins, get ready to grumble
Are compromised private keys that big of a problem to cause all this headache?
Geez.
This will keep getting shorter until it turns into a calculus problem.
You won’t even get a certificate, just a token from some SSL token warehouse. Why should I trust it? Because some random company says so!
Lol, wouldn’t put it past them. Like TLS session keys we have now, but every session key has to be requested from the SSL token warehouse.
There are lots of companies and vendors that don’t automate cert renewal. They are all going to be forced into automation with this change.
The concern is that a compromised device could leak a cert that is then used for attacks.
The concern is that a compromised device could leak a cert that is then used for attacks.
Yeah. Everyone gets that.
The question was whether this is worth the damage seen in the wild thus far.
And I’m curious too: show me how it’s not some market trying to FUD and FOMO us into yet more rigamarole for the sake of security and also sales. Security is rich in “better safe than sorry” snake oil.
Are we trading certs lasting ‘too’ long, a problem that may not yet exist, for a much harder problem of properly securing the renewal chain?
Are we going to have very secure keys but on code with 181 sploits in the supply chain, that we neither know about nor can fix because of rug-pulled compatibility if we did?
You can still use self signed certs. You just can’t use it on the public internet.
You can, but it might scare off some of your audience.
Let’s encrypt is about to get even more market share. Suddenly companies will have even less reasons to pay money for a cert.
God I hate this, dropping it to one year is fine but a month and a half? Fuck that shit.
Id you can use acme/cert boy it’s fine. But some of us have to manage decades old equipment that doesn’t support it and no we can’t just put a reverse proxy in front we tried.
Complaining about job security, unbelievable… 🙃
And I’m over here with a internal only SSL cert that’s good for 1000 years
We could be heading into daily (or hourly) cert auto-renewals. Clients will have to catch up. But one day, can see it all being hands-free.
What a pain in the ass. I will probably just disable HTTPS and use a VPN or SSH tunnel for my stuff then.
Jesus, dude… ACME is not hard to set up.
Setting up a VPN is far far more complex
Just use auto-renewal tools Duh.
This raises a good point. The path of least resistant typically becomes the norm.
