febusravenga
8 hours ago
What is the problem with long lived certs? Is the cryptography behind PKI considered weak nowadays, that you can collect enough material on cert that you can derive privkey? Is there other fundamental cryptographic weakness?
I understand problem of still-valid certs after domain expiration, but mere rotation strikes me as similar to password rotation ... which is currently discouraged.
bawolff
8 hours ago
The main issue is lack of a working revocation mechanism.
Servers get compromised sometimes, people do stupid things with keys, etc.
We dont have a really good way of revoking keys after something bad happens. We have some bad ways, but they kind of suck.
An additional reason might be making it easier to punish a misbehabing CA (CAs are often too big to fail, you cant ban them without breaking half the internet)
jmclnx
2 hours ago
No kidding. Where I use to work, certs are a nightmare.
For example, some sites were closed and we asked the site owner to revoke their cert. We got "What does that mean ?", they had lost their private key.
Also other departments had certs that expired, they had no idea what to do. I left over a year ago, and someone who knows more about certs that I do left not long afterwards. I know many certs are due expire soon, good luck to them.
The point of this is I can see 45 day certs being a huge issue for that company. When I left they were looking into non-expiring certs. I have no idea what they ended up doing.
FWIW, this is a fortune 500 company.
ozim
2 hours ago
Well with ACME theory is that certs should renew automatically so no one should cate.
But to set it all up in F500 size company, that is totally different discussion and not only TLS certs but all kind of other cert auth that happens there.
rightbyte
8 hours ago
> We dont have a really good way of revoking keys after something bad happens.
Why would there be. If the key is 'revokable' that is a weakness in it self.
Arnt
3 hours ago
Others have answered on one level. I want to answer on another.
A few older crypto mechanisms were designed around trusting one thing totally. For example, everything's secure until the end of time provided that the user keeps a private key totally private at all times, with no interruption, ever, and if the user lapses then the overall mechanism breaks really badly.
They were complicated mechanisms held together by a screw made of a metal which was assumed to be infinitely strong.
The current fashion is to trust thing in a more limited way, and to design systems such that they won't blow up spectactularly if something breaks. Being able to revoke keys is part of that, it is a weakness that helps to avoid a really bad weakness.
Dylan16807
8 hours ago
A mistaken revocation is orders of magnitude less harmful then a failure to revoke. If revocation worked pretty reliably, that would be an improvement over the status quo.
dspillett
6 hours ago
> If the key is 'revokable' that is a weakness in it self.
Ish. The threat of that is part of a different risk model, and probably less serious.
A long-lived certificate that ends up being able to be used by a malicious party (perhaps due to a leak of the private key) could be serious for many users if the certificate can't be reliably revoked, which they currently can't be.
A mistaken or malicious revocation if someone were to manage that could be an issue to the service operator (users can't get in) but this is a safer failure than users connecting to a malicious shadow service due, for example, to an accidentally exposed private key and a DNS poisoning attack.
As others have mentioned: if revocation worked better currently, this would be less of an issue.
gruez
8 hours ago
>If the key is 'revokable' that is a weakness in it self.
???
Why?
LegionMammal978
3 hours ago
I'd read it primarily as censorship risk. If a CA is under a government that wants your website taken down, they can just lean on the CA to stop renewing any certificates for it, as opposed to futzing around with ISPs or DNS providers that can only have a local impact. Or alternatively, the CAs in the future might directly use their monopoly to decide who's good and evil (especially on "integrity of the network" grounds against those judged to be spammers et al.).
At least perceived censorship risk is why the archive.is guy always uses HTTP links and not HTTPS links for his site, iirc.
ndsipa_pomu
an hour ago
I'd classify that as very low risk. If a CA's business is compromised by a government, then it's pretty easy to just switch to using a different CA, preferably in a different jurisdiction to work around the censorship.
I don't really get the argument behind using HTTP links to avoid the censorship risk with HTTPS - just provide both and get the best of both worlds. Also, using HTTP is far more prone to being interfered with in transit - I recall BT (or their ISP business department) trialling that and injecting adverts into HTTP pages. I can't recall any instance of HTTPS being censored by restricting certificates.
bawolff
8 hours ago
> Why would there be. If the key is 'revokable' that is a weakness in it self.
What??
This does not make sense. Keys are revocable in most crypto systems.
tikkabhuna
8 hours ago
I'm by no means an expert, but the difference between passwords and certs is that certs can be used without any interaction with the authority.
A leaked password will reveal itself to the authority when used. You have to connect to something to use it and when doing so, can be flagged.
A long lived certificate and key can be used with no interaction with the authority, so how do you know that it is being used maliciously? The renewal is the interaction with the authority which could pick up malicious activity, so making it more regular is beneficial.
growse
8 hours ago
As far as I understand it, two problems:
* Certs come with secrets. Long-lived secrets are riskier than short-lived ones because of window of opportunity if they're compromised in an undetected way.
* Less frequent cert rotations mean that the rotation process is inherently riskier. The old adage of "request a 2-year cert, and you're scheduling an outage 2 years from now" has a lot of truth to it. More frequent rotations increases the incentive to automate, which reduces the service risk.
ndsipa_pomu
8 hours ago
Your second point is crucial in my opinion. In most organisations, there'll be a rush to get some new web service configured and an overworked admin is likely to set up the initial certificate. Without a short expiry date, you can almost guarantee that the admin hasn't got around to monitoring, automating or documenting the process and might not even still be working there in 2 years time.
tsimionescu
6 hours ago
That's a problem for the company, not the security of the Internet. Why do the PKI people take it upon themselves to increase the problems for these companies in order to force them to automate processes?
ndsipa_pomu
5 hours ago
Reduced certificate expirations also enhances the security of the internet as it reduces the window of opportunity for nefarious uses. It could possibly reduce their number of support calls from someone who's taken over from a previous admin and is now faced with an undocumented manual process to replace certs in a hurry as their website has an expired cert.
Personally, I don't see the problem with short expiry dates, though less than a month would be too short in my opinion.
growse
5 hours ago
The CAB (who are setting the TLS cert issuance rules) are optimising for their users' security.
Their users are "people using browsers", not "people asking for cert signatures".
gruez
8 hours ago
>but mere rotation strikes me as similar to password rotation ... which is currently discouraged.
Cargo culting strikes again. Forcing password rotation is bad because it causes people to choose passwords with a given pattern (eg. password1, password2, etc.), which defeats any security benefit. Rotating certificates have no such issue, because the key is (presumably) randomly generated.
gsich
8 hours ago
Also you can reuse the same key.
remram
an hour ago
You can also set your password to "password" but hopefully you don't. Guidelines and technical measures can't keep everybody safe all the time, if they are determined to be unsafe, but that is never an argument against them.
gruez
8 hours ago
Don't you have to go out of your way to do that? You can probably choose a weak RSA key as well (ie. one that's 4096 bits but not a prime), but if you have to go out of your way to do that there's little anyone can do to stop you.
fardo
8 hours ago
> What is the problem with long lived certs?
Privilege escalation and Dev Ops rot. Long-lived certs often get compromised when privilege escalations happen and someone gets access to an account or computer that has private keys on it.
One example scenario for privilege escalation: let's say a hacker gets access to one of your employee's or vendor's machines and associated accounts using a zero-day, or phishing, or some other method that goes undetected for some time. The attacker, as part of this attack, successfully gets access to your cert's private keys through some way or another without drawing attention to themselves.
Some time later, your firm makes several security updates. When doing this, you unknowingly patched the attacker out of your network. The attacker is now in a race against time if they want to do something with the cert before it expires, and in this kind of situation, the sooner that cert expires, the better, because the attacker gets less time to do something with it. In a perfect world, the cert expired exactly when they got patched out, but because we're not guaranteed to know if there's an attacker in the first place, "keeping the expiration time as short as is reasonably possible without impacting service reliability" is what things seem to be moving towards, to limit the blast radius during access leaks.
As for Dev Ops rot, speed has a tendency to change requirements in favor of automation. Generally, certificate rotations tend to be a pain point - they break management panes, they take down websites, they throw browser errors, they don't get updated in pipelines, and other woes happen when they expire that demand people keep track of a ton of localized knowledge and deadlines that's easy to lose or forget. However, paradoxically, the longer the time between rotations, the more painful they tend to be, because once rotations are sufficiently fast, it becomes unmanageable to do them manually: demanding speed forces people to build anti-fragile rotation systems. Making the requirement be shorter is in some sense an attempt to encode into managerial culture "you need to automate this", as a bulwark against swapping your certs out being anything besides automated or one click rotations.
rightbyte
8 hours ago
I think the problem that 100 year certs don't require a complicated SaaS and consultant riddled circus as much.
It is like credit cards. The more problem the more money is to be made by middlemen.
remram
an hour ago
100 year certs require a consultant when the 100 years are up on any certificate and no one has any idea how the system was set up. They require a consultant when there's a security breach and you have to figure out which of the many certs you have ever used is compromised, or let the attackers in.
The hope is that 45 day certs don't require consultants because if you don't set it right you'll find it right away... and of course the risk of leak is much lesser.
ndsipa_pomu
an hour ago
It's very easy to use free certificates (e.g. LetsEncrypt) that can use a free script to automate the renewal of them. There's also plenty of free guides on how to use them for various web servers etc. That comes to a grand total of nothing.
If you'd rather pay someone else to do it for you, then that's your own issue and not really anything to do with the length of certificate validity.
appendix-rock
8 hours ago
[flagged]
rightbyte
6 hours ago
I miss simplicity.
And I could argue that lower prices implies money is made somewhere else. Like how Cloudflare infested half the internet with their free MITM.
But, ye, I should chill a bit on topics like these. I have hard time not ending up in a 'Google etc. is coming for me' rant.
nolist_policy
8 hours ago
(Currently) there is no reliable way of revoking compromised certificates.
chippiewill
8 hours ago
It's because of the risk of leaked private keys being used for a long period of time.
Additionally, short renewal periods encourages automation which is more secure than a manual process.
Password rotation is discouraged because usually it means that users will create weaker passwords.