[Sohcahtoa82]

It's really security theater, too.

Though if I may put on my tinfoil hat for a moment, I wonder if current algorithms for certificate signing have been broken by some government agency or hacker group and now they're able to generate valid certificates.

But I guess if that were true, then shorter cert lives wouldn't save you.

[wang_li]

My browser on my work laptop has 219 root certificates trusted. Some of those may be installed from my employer, but I suspect most of them come from MS as it's Edge on Windows 11. I see in that list things like "Swedish Government Root Authority" "Thailand National Root Certification Authority" "Staat der Nederlanden Root CA" and things like "MULTICERT Root Certification Authority" "ACCVRAUZ1". I don't think there is any reason to believe any certificate. If a government wants a cert for a given DNS they will get it, either because they directly control a trusted root CA, or because they will present a warrant to a company that wants to do business in their jurisdiction and said company will issue the cert.

TLS certs should be treated much more akin to SSH host keys in the known hosts file. Browsers should record the cert the first time they see it and then warn me if it changes before it's expiration date, or some time near the expiration date.

[londons_explore]

Certificate transparency effectively means that any government actually uses a false certificate on the wider web and their root cert will get revoked.

Obviously you might still be victim #1 of such a scheme... But in general the CA's now aren't really trusted anymore - the real root of trust is the CT logs.

[PunchyHamster]

> Certificate transparency effectively means that any government actually uses a false certificate on the wider web and their root cert will get revoked.

the ENTIRE reason the short lifetime is used for the LE certs is that they haven't figured out how to make revoking work at scale.

Now if you're on latest browser you might be fine but any and every embedded device have their root CAs updated only on software update, which means compromise of CA might easily get access to hundreds of thousands devices.

[Dylan16807]

> the ENTIRE reason the short lifetime is used for the LE certs is that they haven't figured out how to make revoking work at scale.

And 200 is not "at scale". The list of difficulties in revoking roots is a very different list from the problem you're citing.

> any and every embedded device

Yes it's flawed but it's so much better than the previous nothing we had for detecting one of the too-many CAs going rogue.

[jofla_net]

>> TLS certs should be treated much more akin to SSH host keys in the known hosts file. Browsers should record the cert the first time they see it and then warn me if it changes before it's expiration date, or some time near the expiration date.

This is great, and actually constructive!

I use, a hack i put together http://www.jofla.net/php__/CertChecker/ to keep a list (in json) of a bunch of machines (both https and SSH) and the last fingerprints/date it sees. Every time it runs i can see if any server has changed, just is a heads-up for any funny business. Sure its got shortcommings, it doesnt mimmic headers and such but its a start.

It would be great if browsers could all, you know, have some type of distributed protocol, ie DHT where by at least some concensus about whether this cert has been seen by me or enough peers lately.

Having a ton of CAs and the ability to have any link in that chain sing for ANY site is crazy, and until you've seen examples of abuse you assume the foundations are sound.

[NoahZuniga]

> broken by some government agency or hacker group

Probably not. For browsers to accept this certificate it has to be logged in a certificate transparency log for anyone to see, and no such certificates have been seen to be logged.

[woodruffw]

One of the ideas behind short-lived certificates is to put certificate lifetimes within the envelope of CRL efficacy, since CRLs themselves don’t scale well and are a significant source of operational challenges for CAs.

This makes sense from a security perspective, insofar as you agree with the baseline position that revocations should always be honored in a timely manner.

[vbezhenar]

I'm not sure it is about security. For security, CRLs and OCSP were a thing from the beginning. Short-lived certificates allow to cancel CRLs or at least reduce their size, so CA can save some expenses (I guess it's quite a bit of traffic for every client to download CRLs for entire letsencrypt).