[dlcarrier]

That explains why one of my IoT vendors is using an expired certificate.

I wish Firefox would just give a mild warning for a recently expired certificate, instead of treating it the same as a true man-in-the-middle attach. It's not like someone who couldn't factor the private key in 200 days could in 201 days or even 300 days.

I'm convinced that we'd have better security, if we didn't have so much security theater. You'd think TLS is useless, from the warning my phone gives if I connected to a public Wi-Fi AP, but then again there's nothing in TLS (or WPA) that prevents it from being used in a way that is completely useless: https://www.youtube.com/watch?v=M1si1y5lvkk

[jaas]

> That explains why one of my IoT vendors is using an expired certificate.

I don't think so. There was a dip in success rates for 90 minutes today, but nobody should be renewing their certificate within 90 minutes of expiration. If you're at that point, something went wrong weeks ago.

[mannyv]

"nobody should be renewing their certificate within 90 minutes of expiration"

You obviously haven't worked with hardware guys.

"I mean, what's the point of those last 30 days if you need to renew it 30 days before expiration? Why not just renew it before it expires? If I'm required to renew it 30 days before the expiration date then the expiration date is a lie, isn't it?"

[ozim]

If they make 7 days grace period then expiration date will be a lie and of course every one will use grace period like it would be normal thing ;)

[NewJazz]

Roulette grace period, keep them on their toes.

[selcuka]

> If I'm required to renew it 30 days before the expiration date then the expiration date is a lie, isn't it?

Many countries won't let you enter if your passport expires less than 6 months after your planned departure date. Basically the effective validity of a passport is 0.5 years less than the period you pay for.

[LtWorf]

> weeks ago

How long do you think a certificate lives?

[jaas]

Mostly 90 days, and we recommend renewing at 60 days for 90 day certs. That gives more than four weeks of leeway.

If you're one of the few early adopters of short-lived (6-day) certs you should renew at 3 days, giving you 3 days for a successful renewal. A 90 minute outage, even if it was a full outage, would not interfere with a successful renewal.

[selcuka]

> If you're one of the few early adopters of short-lived (6-day) certs you should renew at 3 days

Apparently certificates are becoming OCSP-only with a TTL.

[nottorp]

How's the push for 48 hour certificates going?

[bebop]

90 days moving to 45 but you can and should renew earlier than that. Automating this process means that you should be request a new certificates roughly 60 days (or 30 soon) after the issuance of the previous certificate. That way you would have plenty of time to deal with renewal issues. The process for renewal should have back off and retries built in. This prevents a situation where a down time for the issuer means that your production environments are non-functional.

[Biganon]

They work at letsencrypt, I'm pretty sure they know.

[dingaling]

> I wish Firefox would just give a mild warning for a recently expired certificate

Nope, if the SSL industry continues to insist on increasingly short cert lifetimes then I want Firefox to give no quarter when a cert expires.

Play by their rules and fall by their rules too.

[mannyv]

Certificate expiry is less severe than an untrusted issuer or a host mismatch.

The former is most likely an administrative error (ie: someone forgot to renew, or the auto-renew is failing). The latter is more likely to be an MTM attack.

I'm not sure how you would use an expired cert as an attack vector. By loading in an old cert into an expired domain so you could spoof older content?

[mcpherrinm]

If a key is breached, the certificate can be revoked, but that revocation goes away once the certificate is expired.

Expiry is a pretty fundamental part of the security model of certificates.

[tgsovlerkhgsel]

Revocation information may not be available for expired certificates. Not that it matters much because the last time I checked revocation didn't really work for non-expired certificates either, but I think that (+ the risk of people treating expired certificates as worthless and thus increasing the risk of exposure) is the main reason.

Also of course domains changing owners, but again... I don't think we have good monitoring for that during the current long lifetime, so maybe a grace period where a warning is shown but it's easier to click through would be a good idea. Perhaps combined with a requirement to keep revocation information (and keep revoking expired certificates) X days past expiry.

[arcfour]

CRLs mostly still work for revoking non-expired certificates. They're a bit clunky, but they don't have to be: https://hacks.mozilla.org/2025/08/crlite-fast-private-and-co...

[MobiusHorizons]

How does that help? Seems like mostly the end user suffers.

[hannob]

There are reasons browsers do things the way they do.

Experience and user studies have shown that users have a hard time decoding what error messages mean. "This certificate is expired, but only for a little while" isn't meaningful for people who don't have a mental model of what a certificate is.

Furthermore, "downgrading" warnings increases the incentive to ignore issues, potentially causing more problems down the line.

[bruce511]

But it's only the extreme warning that alerts the website (usually via a customer complaining) that the cert hasn't been renewed. Having the lesser warning just kicks the can down the road.

The IoT should have updated the certs weeks in advance. If they haven't done it by day 0 then their process is broken and delaying the scary warning to say day +5 won't solve anything.

[lambdaone]

What might be better is to, in addition to failing hard when the certificate expires, web browsers were to give a 'soft' click-through user warning if the certificate on the site - while still within its validity period - has less than say 7 days to go before expiry.

That's probably long enough for most companies to be alerted to the problem in time and to get their act together to fix the problem.

[tgsovlerkhgsel]

A warning with a clear clickthrough button would work for alerting - the default TLS warnings are designed to be somewhat hard to bypass to make people think twice.

[bluesign]

What you want is warning when certificate expiry in next 7 days, then everyone would update before the warning.

[fragmede]

omg new tom7!