paulgorman.org

< ^ txt

Sun Feb 23 06:00:01 EST 2020 ======================================== Slept from eleven to eight without waking. Sunny. Highs in the upper 40s. Southwest winds 10 to 15 mph with gusts to around 30 mph. To do: - Order something for Hardy's birthday Done. https://news.ycombinator.com/item?id=22398063 https://www.theregister.co.uk/2020/02/20/apple_shorter_cert_lifetime/ Safari won't honor certs with a lifetime longer than thirteen months. > The aim of the move is to improve website security by making sure devs use certs with the latest cryptographic standards, and to reduce the number of old, neglected certificates that could potentially be stolen and re-used for phishing and drive-by malware attacks. If boffins or miscreants are able to break the cryptography in a SSL/TLS standard, short-lived certificates will ensure people migrate to more secure certs within roughly a year. > Shortening the lifespan of certificates does come with some drawbacks. It has been noted that by increasing the frequency of certificate replacements, Apple and others are also making life a little more complicated for site owners and businesses that have to manage the certificates and compliance. > "Companies need to look to automation to assist with certificate deployment, renewal, and lifecycle management to reduce human overhead and the risk of error as the frequency of certificate replacement increase," Callan told us. https://www.reddit.com/r/sysadmin/comments/f7yu01/apple_blocking_certs_valid_for_more_than_13/ > Have you tried DNS based verification for letsencrypt? I use the Route53 plugin and it works well. None of our internal system using letsencrypt certs are reachable from the internet. > > I think I could make an argument that constant reneawls isn't secure for password resets so why should our crypto be any different? > Because revocation works completely differently between the two. If you have evidence that a passphrase credential has been compromised, you can change it immediately. But an X.509 certificate with one year of validity can be used until it expires, even if you find out immediately that it was compromised, because X.509 revocation is not absolute. X.509 revocation is distributed and somewhat voluntary, which means the revocation mechanisms themselves are fragile, unlike passphrases. https://scotthelme.co.uk/why-we-need-to-do-more-to-reduce-certificate-lifetimes/ Dusted, watered plants, took out recycling. Twenty-minute walk in the afternoon. Much like yesterday — sunny, windy, and almost warm. Servings: grains 2/6, fruit 3/4, vegetables 3/4, dairy 2/2, meat 2/3, nuts 1/0.5 Breakfast: pineapple, celery, salami, cheese, coffee Lunch: sandwich with egg, tomato, and avocado Afternoon snack: cucumber slices and hummus, two beers, banana Dinner: orange, Chinese 128/80

< ^ txt