I still think this is all pointless and just puts extra strain on the infrastructure needed to create the certs. The chances of a successful MITM attack are very very small. Places like Let’s Encrypt and the like have done way more for security by making cert creation more automated than shortening these certs lifespans. The bigger problem is self signed certs, expired certs, and/or certs based on weak/outdated protocols. The only thing this is going to accomplish is a general acceptance of slack security practices. Want proof. Go look at any office that requires too frequent password changes with asinine complex password rules and you’ll find many many more passwords written on sticky notes or passwords that do silly things like incrementing a number on the end or something similar.
In my opinion, this whole thing is putting a bandaid on a bullet wound. If you want to fix the issues, make the certs more secure not shorter lived, create better revocation processes, and automate the hell out of everything.
The automation isn’t difficult to set up, and really only seems to me like all the more reason to shorten the lifespan.
But why
Security, a malicious individual could mitm or impersonate another server when the private key is leaked. Reducing the timespan from the current 398 days reduces the amount of time compromised certificates can be used. It is possible to revoke certificates, but I think this is for cases when devices are unable to receive those messages.
Ah thanks for explaining. Now it makes sense
This is pointless burdening of small actors by big actors. On top of lets encrypt losing funding from the US government, it could easily collapse from strain like this. And then where are we? Back to the bad old days of very expensive certificates which will be even more-so with such a short validity period.
Big tech doesn’t care, they never cared about your small site being encrypted against NSA spying or MITM by bad actors, they want everyone in their walled gardens and for people to spend as little time as possible outside of places like Facebook. Google will de-rank sites don’t implement encryption and if the costs for that go from free to quite expensive that pushes the free parts of the web like small forums, blogs, fediverse etc even further to the margins.
Self-hosters who do things like hosting their own Jellyfin instance who require their own certs now have more renewals, more chances something breaks and if things like this push Let’s Encrypt under then that $5 porkbun domain you have for yourself and family is going to be $69 next year if you want to encrypt the traffic of all your linux isos being streamed.
Better revocation processes and standards for browsers and apps to fetch and download revocation lists in a timely manner are needed, not this.
This kind of frequency creates an incentive to set and forget automated processes and pay less attention to everything happening so when things break or security fails it’s catastrophic and not noticed.
So would I have to buy a new cert every 47 days?
Free certificates have existed for a long time now from providers like Let’s Encrypt and ZeroSSL.
There are still many apps that don’t play nice with automated certificate replacements. I manage a few systems where the entire server needs rebooting, to work properly afterwards. One where a corresponding client-software has to be recompiled and updates distributed simultaneously with the replacement. And one where the certificate and key together needs to be uploaded manually in three different UIs.
Im aware. And I haven’t had to deal with certs in a long time. When I had to purchase them, it was typically thru godaddy. Looks like my former employer is going to have fun time.
