|
|
|
|
|
|
by cyphar
278 days ago
|
|
|
Well sure, that is the argument behind short-lived certs but the current standard (47 days or less) is still fairly long if you think about a targeted attack. You can't refresh your certificates every 2 minutes but you can set the DNS TTL to 2 minutes and thus stop compromised certs as soon as you discover them (plus 2 minutes). If you use DANE this is already possible but quite fragile unless you have configured your TLS certificate issuing server to have access to modify your DNS records (which is probably less safe overall). |
|
|