mctoasterson@reddthat.com
on 17 Apr 11:16
nextcollapse
The most-aggressively short timelines don’t apply until 2029. Regardless, now is the time to get serious about automation. That is going to require vendors of a lot of off-the-shelf products to come up with better (or any) automation integrations for existing cert management systems or whatever the new standard becomes.
The current workflow many big orgs use is something like:
Poor bastard application engineer/support guy is forced to keep a spreadsheet for all the machines and URLs he “owns” and set 30-day reminders when they will expire,
manually generate CSRs,
reach out to some internal or 3rd party group who may ignore his request or fuck it up twice before giving him correct signed certs,
schedule and get approval for one or more “possible brief outage” maintenance windows because the software requires manually rebinding the new certs in some archaic way involving handjamming each cert into a web interface on a separate Windows box.
As the validity period shrinks and the number of environments the average production application uses grows, the concept of doing these processes manually becomes a total clusterfuck.
king_tronzington@lemm.ee
on 17 Apr 12:11
nextcollapse
I’m that poor bastard engineer at my company. This likely will be the push we need to prioritize automation. Dealing with manual renewals with Digicert has been a pain in the ass. If anyone has experience with their automated option I’d love to hear it.
Glitchvid@lemmy.world
on 17 Apr 13:18
nextcollapse
Ironically the shortening of cert lengths has pushed me to automated systems and away from the traditional paid trust providers.
I used to roll a 1-year cert for my CDN, and manually buy renewals and go through the process of signing and uploading the new ones, it wasn’t particularly onerous, but then they moved to I think either 3 or 6 months max signing, which was the point where I just automated it with Let’s Encrypt.
I’m in general not a fan of how we do root of trust on the web, I much prefer had DANE caught on, where I can pin a cert at the DNS level that is secured with DNSSEC and is trusted through IANA and the root zone.
I’ve proposed using Let’s Encrypt but my coworkers believe there would be a perception issue with us using a “free” TLS certificate provider. I work for a popular internet search engine so it’s a reasonable worry.
It just seems like LE has the most efficient automatic renewal setup, though I haven’t looked in detail at other providers.
patatahooligan@lemmy.world
on 17 Apr 14:40
nextcollapse
That sound weird to me. How big is the population of people who are technical enough to even check what certificate provider you are using but ignorant enough to think that let’s encrypt is bad because it’s free?
Glitchvid@lemmy.world
on 17 Apr 16:18
nextcollapse
There can be theoretical audit or blame issues , since you’re not “paying” then how does the company pass the buck (SLA contracts) if something fucks up with LE.
bane_killgrind@slrpnk.net
on 18 Apr 13:39
collapse
ACME Directory URLs – Get certificate-level automation for Extended Validation (EV) and Organization Validated (OV) certificates. Manage multiple ACME clients, running on Windows or Linux so you can efficiently automate certificate delivery regardless of the quantity of certificates you’re managing. Improve the security of using ACME in your network through our CertCentral discovery sensors. The sensor is an extra layer of security, ensuring the ACME client doesn’t directly speak to an unsecure third party.
If you search for RFC8555 or ACME, you may find a tool you can use that may be compatible for renewing Digicert certs automatically.
I’d love to actually help, but honestly I knew the RFC offhand (correction; I was close but off) and googled the rest myself, so dragging the problem to ACME - like RFK dragging the carcass of a deer back to his sedan - is the best I can do for you today.
Can you not write a script to automate a lot of this?
corsicanguppy@lemmy.ca
on 17 Apr 18:10
nextcollapse
get serious about automation.
I’m relieved this post didn’t mention Ansible. It’s nice we’ve avoided the irony of mentioning Ansible in a post also mentioning ‘serious’ or ‘modern’.
the concept of doing these processes manually becomes a total clusterfuck.
But it’s a known clusterfuck compared to the scary unknown of certs (and the boulder app).
If you’re truly unaware of why TLS is necessary or how to automate the process then you should probably retire.
Archaic attitudes like yours are precisely why these restrictions are necessary.
sugar_in_your_tea@sh.itjust.works
on 17 Apr 13:28
nextcollapse
Exactly. Setting up Let’s Encrypt is really easy, and once it’s set up, you don’t have to think about it.
I did it for self-hosted stuff, and it’s trivial. You can even do DNS challenge auth instead of HTTP and you don’t need to have port 80 open at all, but you do need a login token for your DNS host for the script.
The first one will probably take an hour or two if it’s your first time, and after that, it’s maybe 5 min per site.
Not all DNS hosts support that. Webnames.ca, looking at you…
Also my workplace hosts their own dns and I think it will be a cold day in hell before they let me do automated updates.
sugar_in_your_tea@sh.itjust.works
on 17 Apr 13:48
nextcollapse
Sure, but it’s really nice if it does.
I use Cloudflare, and my login token only supports editing DNS records, which is nice. If yours doesn’t, it may be worth switching to one that does. There are lots of options and many of them have a reasonable API.
Exactly. Setting up Let’s Encrypt is really easy, and once it’s set up, you don’t have to think about it.
That’s what I thought. And now I need to figure out how to update it for 47 day cycles.
sugar_in_your_tea@sh.itjust.works
on 17 Apr 15:18
collapse
I have mine check daily, which is the default and is recommended. It only actually updates when it’s close to renewal, so I never need to care how short the renewal period is.
Get ready for a bunch more 1 and 2 day outages because someone forgot/missed the deadline to renew some crusty server somewhere. This is such massive overkill for most servers. End users should start getting used to that expired certificate warning in their browser of choice and the process to tell it to continue to the site anyway.
End users should start getting used to that expired certificate warning in their browser of choice and the process to tell it to continue to the site anyway.
We already have a lot of this, and it’s definitely gonna get worse. Is a security dance so convoluted that people are used to others just messing up really an effective process?
Given the biggest breaches were caused by default passwords and misconfigured S3 outhouses, are we focusing on the right stuff today?
I just hope that automation doesn’t bring new vulnerabilities…
Otherwise we get safer cert but poorly secured automated PKI to create the certs?
I mean if you have a fully automated cert deployment it could be months with a compromised system and you probably wouldn’t see it.
I don’t know how effective this will be. It still seems short even if it starts in 2029.
sugar_in_your_tea@sh.itjust.works
on 17 Apr 15:35
collapse
How does manual cert generation impact that?
My experience is that orgs that don’t bother checking logs are also likely to buy long duration certs. And it’s also frequently a simple FTP drop or something, they’re not taking the time to actually verify things properly.
I also haven’t seem evidence of attackers compromising certificates themselves, if they have the access to do that, they’ll just steal the data they want or install some kind of backdoor for later use.
There is plenty of data on compromised certs. I mean if you steal a cert you essentially steal the identity of that server.
I’m just saying before that you had admins connecting from time to time to the server while deploying but after that change it could be years before someone connects. Cert deployment IMO is often one of the last maintenance that is not automated and one of the hardest to automate both safely and reliably.
But for a business that handles it that way it’s just straight up an upgrade in security to have shorter certs.
shortwavesurfer@lemmy.zip
on 17 Apr 17:34
nextcollapse
I think there’s an argument to be made here of why are we trusting certificate providers anyway since that just adds another layer of centralization and a choke point for governments to attack. Why not use self-signed certificates and have each search engine indexer also index the certificate and point out how long it has been since it has changed so that you can trust whatever search engine you wish instead of these mega centralized providers of certificates. If kagi, google, ddg, and quant (for example) are all in agreement about the validity of a cert i feel its likely trustworthy. If they start disagreeing thats when it may be time to DYOR. Besides, TOFU is much easier to set up.
Why not use self-signed certificates and have each search engine indexer also index the certificate and point out how long it has been since it has changed so that you can trust whatever search engine you wish instead of these mega centralized providers of certificates.
Freshness isn’t an indicator of validity. The fence around the nearby park is decades old and with inspection and minor repairs is still viable; commercials on TV promising mail-order boner pills or vast riches from slots and roulette are relatively new.
shortwavesurfer@lemmy.zip
on 17 Apr 18:15
collapse
On one hand, I agree with the technical merits. Having an automated process to renew short lived tls certs is “a good thing” and I think services like Let’s Encrypt have demonstrated such automation is viable (at large scale).
But, there are reasons why people pay money for tls Certs rather than use free (short lived) Certs. For example, there’s a mom-and-pop webhosting company that allows you to upload your tls Certs (they cost < $25 / year) or you can pay them $95 / year to use their Certs (and they just use Let’s Encrypt - lol)
The nearly 4x markup is their “convenience fee” or “dumb tax”. Regardless, once the 45 day tls Certs are enforced, I’ll have no choice in either paying their 4x markup or migrating to another platform.
… Having a choice is not always a bad thing…
UnsavoryMollusk@lemmy.world
on 17 Apr 18:45
nextcollapse
Nice, having to renew the EV cert and upload it every month manually to all our hardware load balancer will be a great pleasure !
Thank you Apple !
/s
The_Decryptor@aussie.zone
on 18 Apr 05:43
collapse
Yeah I think they’re generally regarded as a mistake, browsers have removed all the UI signifying an EV cert these days.
csh83669@programming.dev
on 17 Apr 23:37
nextcollapse
My concern is basically that this forces people to use very expensive cert providers, since it is infeasible to setup and connect and secure an HSM that can do this yourself. And Microsoft and Amazon have tricked the browser forums that their online ones are good enough.
It essentially puts yet another monopoly into the “open” Web. The CA browser forum is a joke at this point and I don’t respect any of the decision in the last 10 years. They all serve to further centralize and close off the web.
People keep bringing up LetsEncrypt, but it very much cannot issue EV carts. It costs THOUSANDS of dollars to use a service that can auto renew “trusted certs”.
InnerScientist@lemmy.world
on 18 Apr 05:27
collapse
Why do you need EV certs?
SoftestSapphic@lemmy.world
on 18 Apr 02:15
collapse
Can we stop doing certs now?
Can we stop letting google decide what is and isn’t acceptable on the internet based on who gave them money?
bane_killgrind@slrpnk.net
on 18 Apr 03:15
nextcollapse
So how do we do trust if we don’t have specific people to trust to issue trust
SoftestSapphic@lemmy.world
on 18 Apr 03:53
collapse
Just go to the website.
bane_killgrind@slrpnk.net
on 18 Apr 03:55
collapse
What… Website???
SoftestSapphic@lemmy.world
on 18 Apr 03:57
collapse
The one you want to go to
bane_killgrind@slrpnk.net
on 18 Apr 03:59
collapse
How do I know it’s the website I want to go to and not a fake website
JackbyDev@programming.dev
on 18 Apr 04:25
nextcollapse
Damn, if only there was some way to certify that.
SoftestSapphic@lemmy.world
on 18 Apr 04:53
collapse
I don’t care?
There’s a whole internet out there that is disallowed from being accessed.
Google shouldn’t control that.
bane_killgrind@slrpnk.net
on 18 Apr 13:33
collapse
Alright you have no idea what’s going on
JackbyDev@programming.dev
on 18 Apr 04:25
nextcollapse
Certs are free through Let’s Encrypt (and have been for quite some time now, like a decade). Certs makes people peeking at what you’re doing along the route substantially more difficult.
threaded - newest
This seems sensible.
The most-aggressively short timelines don’t apply until 2029. Regardless, now is the time to get serious about automation. That is going to require vendors of a lot of off-the-shelf products to come up with better (or any) automation integrations for existing cert management systems or whatever the new standard becomes.
The current workflow many big orgs use is something like:
Poor bastard application engineer/support guy is forced to keep a spreadsheet for all the machines and URLs he “owns” and set 30-day reminders when they will expire,
manually generate CSRs,
reach out to some internal or 3rd party group who may ignore his request or fuck it up twice before giving him correct signed certs,
schedule and get approval for one or more “possible brief outage” maintenance windows because the software requires manually rebinding the new certs in some archaic way involving handjamming each cert into a web interface on a separate Windows box.
As the validity period shrinks and the number of environments the average production application uses grows, the concept of doing these processes manually becomes a total clusterfuck.
I’m that poor bastard engineer at my company. This likely will be the push we need to prioritize automation. Dealing with manual renewals with Digicert has been a pain in the ass. If anyone has experience with their automated option I’d love to hear it.
Ironically the shortening of cert lengths has pushed me to automated systems and away from the traditional paid trust providers.
I used to roll a 1-year cert for my CDN, and manually buy renewals and go through the process of signing and uploading the new ones, it wasn’t particularly onerous, but then they moved to I think either 3 or 6 months max signing, which was the point where I just automated it with Let’s Encrypt.
I’m in general not a fan of how we do root of trust on the web, I much prefer had DANE caught on, where I can pin a cert at the DNS level that is secured with DNSSEC and is trusted through IANA and the root zone.
I’ve proposed using Let’s Encrypt but my coworkers believe there would be a perception issue with us using a “free” TLS certificate provider. I work for a popular internet search engine so it’s a reasonable worry.
It just seems like LE has the most efficient automatic renewal setup, though I haven’t looked in detail at other providers.
That sound weird to me. How big is the population of people who are technical enough to even check what certificate provider you are using but ignorant enough to think that let’s encrypt is bad because it’s free?
There can be theoretical audit or blame issues , since you’re not “paying” then how does the company pass the buck (SLA contracts) if something fucks up with LE.
Managers.
LetsEncrypt also built ACME, so they’re the primary port for testing RFC8555. They’re just gonna work better at it.
But, as above, maybe Digi is still the way for you, with the right tooling glued in.
Good luck!
Aren’t they RFC8555-compatible?
Yep, seems so:
If you search for RFC8555 or ACME, you may find a tool you can use that may be compatible for renewing Digicert certs automatically.
I’d love to actually help, but honestly I knew the RFC offhand (correction; I was close but off) and googled the rest myself, so dragging the problem to ACME - like RFK dragging the carcass of a deer back to his sedan - is the best I can do for you today.
Looking forward to companies hiring “Cert Engineers” who just renew certs all day.
Joking aside, it really is time to deploy automation for those that haven’t already
That was a joke? Nice try Nostradamus, I know you can see the future.
They’ll add AI to it somehow
Which will get it wrong and leave expired/unsigned certs everywhere XD
Can confirm, am poor bastard.
Can you not write a script to automate a lot of this?
I’m relieved this post didn’t mention Ansible. It’s nice we’ve avoided the irony of mentioning Ansible in a post also mentioning ‘serious’ or ‘modern’.
But it’s a known clusterfuck compared to the scary unknown of certs (and the boulder app).
I hate my life.
Exactly how it works at mine, it’s a pain 😭
.
Or just “1.5 months”.
If it was 46 days, there will (arguably) be times where it’s less than 1.5 months.
I guess the intention is automation that updates every month, leaving you with half a month to fix issues.
Voice over: it is arbitrary
Simple cascade, but it goes from +15 to +7 to +15 lol
This will be a huge pain for the small business websites I administer, which really don’t need SSL to begin with except to please Google.
All public websites need SSL.
If you’re truly unaware of why TLS is necessary or how to automate the process then you should probably retire.
Archaic attitudes like yours are precisely why these restrictions are necessary.
Exactly. Setting up Let’s Encrypt is really easy, and once it’s set up, you don’t have to think about it.
I did it for self-hosted stuff, and it’s trivial. You can even do DNS challenge auth instead of HTTP and you don’t need to have port 80 open at all, but you do need a login token for your DNS host for the script.
The first one will probably take an hour or two if it’s your first time, and after that, it’s maybe 5 min per site.
Even that’s more steps than necessary.
Just serve your website with Caddy and it handles certs for you. The config is absolutely trivial compared to Apache, nginx, etc
I use Caddy, but there are a lot of options with decent documentation.
Red flag.
There is no security risk so bad that it can’t be made worse by layering on new tech with its own issues and pitfalls. (Paraphrasing Bruce Jackson)
Not all DNS hosts support that. Webnames.ca, looking at you…
Also my workplace hosts their own dns and I think it will be a cold day in hell before they let me do automated updates.
Sure, but it’s really nice if it does.
I use Cloudflare, and my login token only supports editing DNS records, which is nice. If yours doesn’t, it may be worth switching to one that does. There are lots of options and many of them have a reasonable API.
Any DNS host that doesn’t support automation either starts building now or goes out of business when short certs are implemented.
The best way to control the data.
This is of waning value, but don’t jump into half-assed automation early or you end up with problems like route53 hijacking.
That’s what I thought. And now I need to figure out how to update it for 47 day cycles.
I have mine check daily, which is the default and is recommended. It only actually updates when it’s close to renewal, so I never need to care how short the renewal period is.
Oof. You’re gonna hit the bottom of the table with your knee like that.
What part of your security training skipped over understanding the customer’s setup before making recommendations?
Get ready for a bunch more 1 and 2 day outages because someone forgot/missed the deadline to renew some crusty server somewhere. This is such massive overkill for most servers. End users should start getting used to that expired certificate warning in their browser of choice and the process to tell it to continue to the site anyway.
We already have a lot of this, and it’s definitely gonna get worse. Is a security dance so convoluted that people are used to others just messing up really an effective process?
Given the biggest breaches were caused by default passwords and misconfigured S3 outhouses, are we focusing on the right stuff today?
I just hope that automation doesn’t bring new vulnerabilities… Otherwise we get safer cert but poorly secured automated PKI to create the certs?
I mean if you have a fully automated cert deployment it could be months with a compromised system and you probably wouldn’t see it.
I don’t know how effective this will be. It still seems short even if it starts in 2029.
How does manual cert generation impact that?
My experience is that orgs that don’t bother checking logs are also likely to buy long duration certs. And it’s also frequently a simple FTP drop or something, they’re not taking the time to actually verify things properly.
I also haven’t seem evidence of attackers compromising certificates themselves, if they have the access to do that, they’ll just steal the data they want or install some kind of backdoor for later use.
There is plenty of data on compromised certs. I mean if you steal a cert you essentially steal the identity of that server.
I’m just saying before that you had admins connecting from time to time to the server while deploying but after that change it could be years before someone connects. Cert deployment IMO is often one of the last maintenance that is not automated and one of the hardest to automate both safely and reliably.
But for a business that handles it that way it’s just straight up an upgrade in security to have shorter certs.
I think there’s an argument to be made here of why are we trusting certificate providers anyway since that just adds another layer of centralization and a choke point for governments to attack. Why not use self-signed certificates and have each search engine indexer also index the certificate and point out how long it has been since it has changed so that you can trust whatever search engine you wish instead of these mega centralized providers of certificates. If kagi, google, ddg, and quant (for example) are all in agreement about the validity of a cert i feel its likely trustworthy. If they start disagreeing thats when it may be time to DYOR. Besides, TOFU is much easier to set up.
Freshness isn’t an indicator of validity. The fence around the nearby park is decades old and with inspection and minor repairs is still viable; commercials on TV promising mail-order boner pills or vast riches from slots and roulette are relatively new.
Thats true.
I have mixed feelings about this.
On one hand, I agree with the technical merits. Having an automated process to renew short lived tls certs is “a good thing” and I think services like Let’s Encrypt have demonstrated such automation is viable (at large scale).
But, there are reasons why people pay money for tls Certs rather than use free (short lived) Certs. For example, there’s a mom-and-pop webhosting company that allows you to upload your tls Certs (they cost < $25 / year) or you can pay them $95 / year to use their Certs (and they just use Let’s Encrypt - lol)
The nearly 4x markup is their “convenience fee” or “dumb tax”. Regardless, once the 45 day tls Certs are enforced, I’ll have no choice in either paying their 4x markup or migrating to another platform.
… Having a choice is not always a bad thing…
Nice, having to renew the EV cert and upload it every month manually to all our hardware load balancer will be a great pleasure ! Thank you Apple ! /s
EV certs are mostly bullshit in my opinion
Yeah I think they’re generally regarded as a mistake, browsers have removed all the UI signifying an EV cert these days.
My concern is basically that this forces people to use very expensive cert providers, since it is infeasible to setup and connect and secure an HSM that can do this yourself. And Microsoft and Amazon have tricked the browser forums that their online ones are good enough.
It essentially puts yet another monopoly into the “open” Web. The CA browser forum is a joke at this point and I don’t respect any of the decision in the last 10 years. They all serve to further centralize and close off the web.
People keep bringing up LetsEncrypt, but it very much cannot issue EV carts. It costs THOUSANDS of dollars to use a service that can auto renew “trusted certs”.
Why do you need EV certs?
Can we stop doing certs now?
Can we stop letting google decide what is and isn’t acceptable on the internet based on who gave them money?
So how do we do trust if we don’t have specific people to trust to issue trust
Just go to the website.
What… Website???
The one you want to go to
How do I know it’s the website I want to go to and not a fake website
Damn, if only there was some way to certify that.
I don’t care?
There’s a whole internet out there that is disallowed from being accessed.
Google shouldn’t control that.
Alright you have no idea what’s going on
Certs are free through Let’s Encrypt (and have been for quite some time now, like a decade). Certs makes people peeking at what you’re doing along the route substantially more difficult.
Miserable bait