You're viewing the mastodon.green public feed.

Federated feed Local feed

Neil Craigtdp_org@mastodon.social
Apr 16, 2025, 9:51 AM
So it's official: TLS certificate lifetimes will reduce from the current max of 398 days to:
* 200 days in March 2026
* 100 days in March 2027
* 47 days in March 2029
For web servers/proxies etc. it's reasonably simple, at least for smaller orgs but for e.g. network kit it might be more of a challenge. Having a timeframe to aim at definitely focusses the mind!
Via @riskybiz / https://risky.biz/risky-bulletin-ca-b-forum-approves-47-day-tls-certs/
#TLS #PKI #InfoSec #WebDev
💬 8🔄 20⭐ 0

Replies

Klaus Frankagowa338@chaos.social
Apr 16, 2025, 10:40 AM
@tdp_org @riskybiz
"The certificate of the page you're viewing is not secure, do you want to proceed anyway?"
Is already often seen in these environments. I don't expect this policy change to have any significant impact on anything.
Besides maybe having to pay more for your extended validation certificates that don't even show your business name in green within the address bar anymore anyway...
💬 0🔄 0⭐ 0
Bookbook@beige.party
Apr 16, 2025, 10:50 AM
@tdp_org @riskybiz Silly newbie question: Why are these number of days chosen?
200, 47, it all feels arbitrary
💬 1🔄 0⭐ 0
Neil Craigtdp_org@mastodon.social
Apr 16, 2025, 11:02 AM
@book @riskybiz I don't know TBH, there might be some detail in the proposal docs.
I suppose you have to choose *a* number and I suppose one number is as good as any other to some extent, provided they're in the right range.
💬 0🔄 0⭐ 0
System Adminihatersystemadminihater@cyberplace.social
Apr 16, 2025, 11:12 AM
@tdp_org @riskybiz That is terribly stupid.
💬 0🔄 0⭐ 0
Dr. Christopher Kunzchristopherkunz@chaos.social
Apr 16, 2025, 11:19 AM
@tdp_org @riskybiz Remember that this change affects the Web PKI.
What you do on machines and infra that are not required to talk to *every random* browser on the planet via TLS is and will even in 2029 be entirely up to you.
For times immemorial, network kit has worked with private, ssl-cert-snakeoil.pem-type certs and there's no reason why that would stop working.
On the contrary: If anything, making private CAs more manageable for network and server admins could be one outcome of this.
💬 1🔄 0⭐ 0
Zimmiebob_zim@infosec.exchange
Apr 16, 2025, 12:03 PM
@christopherkunz @tdp_org @riskybiz We can only hope. There has long been a joke-but-not-a-joke:
How can you tell which URL you use to manage the company’s most critical security tools? It’s the one with the expired, self-signed certificate using key and hash algorithms old enough to vote.
💬 0🔄 0⭐ 0
Gstark@mastodon.mit.edu
Apr 16, 2025, 2:10 PM
@tdp_org @riskybiz This is all about browser requirements right? TLS is used for a lot of other tech.
💬 0🔄 0⭐ 0
LaukidhLaukidh@infosec.exchange
Apr 16, 2025, 3:21 PM
@tdp_org @riskybiz That’s gonna force a lot of companies to learn how to automate their certs.
💬 0🔄 0⭐ 0
ww@11n.org
Apr 16, 2025, 4:17 PM
can we just skip to the end where certificates have a 1-day lifetime and I give up managing certificates everywhere I have admin access?

CC: @riskybiz@infosec.exchange
💬 0🔄 0⭐ 0