Hacker Neue

Preferences
michaelt parent
I'm quite surprised the CA/Browser Forum went for this.

Nobody's paying for EV certificates now browsers don't display the EV details. The only reason to pay for a certificate is if you're rotating certificates manually, and the 90 day expiry of Lets Encrypt certificates is a hassle.

If the CA/Browser Forum is forcing everyone to run ACME clients (or outsource to a managed provider like AWS or Cloudflare) doesn't that eliminate the last substantial reason to give money to a CA?

beaugunderson
The CA/BF has a history of terrible decisions, for example 2020's "Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates".

Microsoft voted for it, and now they are basically the only game in town for cloud signing that is affordable for individuals. The Forum needs voting representatives for software developers and end users or else the members will just keep enriching themselves at our expense.

account42
How is the CA/B forum relevant for code signing certificates?
beaugunderson
How are they not? :)

They set the baseline standard for code signing certificates. In 2020 they added the requirement to use hardware modules which resulted in much higher prices and fewer small developers opting to sign their code.

joking
My case, I have to manage a portal for old tvs and those don’t accept the LE root certificate since they changed a couple of years ago. Unfortunately the vendor is unable to update the firmware with new certificates and we are sold
aftbit
Yeah that LE root certificate change broke our PROD for about 25% of traffic when it happened. Everyone acts like we control our client's cert chains. Clients don't look at the failure and think "our system is broken - we should upgrade". They look at the connection failure and think "this vendor is busted - might as well switch to someone who works". I switched away from LE to the other free ACME provider for our public-facing certs after that.
nickf
Roots for all CAs are going to be rotating much more frequently now. Looking to be every 5 years.
silverwind
Sounds like planned obsolescence if devices stop working after 5 years or less.
majewsky
Only for devices that do not allow you to patch the CA bundle as an aftermarket repair. Call your representative and demand Right to Repair legislation.
aftbit
That is ... basically all of them? Other than general purpose desktop/laptop computers that is. Show me a TV or smartphone that does allow you to push new roots to it...
michaelt OP
I'd be interested in hearing more - do you have a source for this?

Seems to me CAs have intermediate certificates and can rotate those, not much upside to rotating the root certificates, and lots of downsides.

aaomidi
The upside to rotating roots is:

1. These might need to happen as emergencies if something bad happens

2. If roots rotate often then we build the muscle of making sure trust bundles can be updated

I think the weird amount they are being rotated today is the real root cause if broken devices and we need to stop the bleed at some point.

5 More Comments →
nickf
Chrome root policy, and likely other root policies are moving toward 5-years rotation of the roots, and annual rotation of issuing CAs. Cross-signing works fine for root rotation in most cases, unless you use IIS, then it becomes a fun problem.
mikestorrent
What an absolute pain in the ass for a mediocre increase in security.
account42
And your clients are right. The "security" community's wanton disregard for backwards compatibility is abhorrent.
deepsun
Well, how the vendor was going to apply other security updates if they cannot update their basic security trust store?

If the vendor is really unable to update, then it's at best negligence when designing the product, and at worst -- planned obsolescence.

michaelt OP
1. Ship the product with automatic updates delivered over https

2. Product is a smart fridge or whatever, reasonable users might keep it offline for 5+ years.

3. New homeowner connects it to the internet.

4. Security update fails because the security update server's SSL cert isn't signed by a trusted root.

array_key_first
The real solution is making your shit modifiable by the client.

We do car recalls all the time. Just send out an email or something with instructions of what to put on a USB, it's basically the same thing.

Yes it's inconvenient for consumers and annoying but the alternative is worse. Essentially hard coding certificates was always a bad idea.

lokar
Yeah, participation in web tls requires the ability to regularly update your server and client code.

Nothing stays the same forever, software is never done. It’s absurd pretend otherwise.

throw0101a
> I'm quite surprised the CA/Browser Forum went for this.

The CA folks and the Browser folks may have had differences of opinions.

tptacek
You think? :)
immibis
Yes. Mozilla presumably want this rent-seeking industry of useless middleman to disappear.
immibis
Downvoted by rent-seeking useless middlemen, presumably

This item has no comments currently.

Keyboard Shortcuts

Story Lists

j
Next story
k
Previous story
Shift+j
Last story
Shift+k
First story
o Enter
Go to story URL
c
Go to comments
u
Go to author

Navigation

Shift+t
Go to top stories
Shift+n
Go to new stories
Shift+b
Go to best stories
Shift+a
Go to Ask HN
Shift+s
Go to Show HN

Miscellaneous

?
Show this modal