On 8/29/23 11:24, Grant Taylor wrote:
On 8/29/23 10:07 AM, Tom Brennan wrote:
And you can specify an expiration far in the future.
Remember, some web browsers are capping the limit on the lifetime of
certificates they will work with.
The browser producers have the advantage over the rest of us because
they affect such a large percentage of consumer clients.
When they say "certificates shall only last a year", there's little we
can do about it, whether they're right or wrong.
They're wrong. They're at least "imperfect" in a conversation where
perfection is the goal. So ... they're wrong.
Shortening the viability lifetime brings hidden costs that the browser
makers either don't see or don't care about. (Covering their own arse.
They have no incentive to cover yours.)
By contrast, physical indicia (credit cards, driver licenses, and other
IDs that some of us cannot speak about) have lifetimes/expirations five
years out.
Shorter lifetimes for web site certs generate business for CAs and make
work for web site admins. The latter is increasingly error prone. But
higher frequency replacement is considered "more secure". It's like
killing the dogs and cats during the plague, when they were the natural
enemies of the true carriers of the disease.
We protect the wrong things. (And we kill the wrong critters.) We also
sprinkle such ideas as faster cert replacement and technology like
cryptography as if it's fairy dust magically making things better.
Crypto alone doesn't make your systems secure. Faster refresh does not
improve your posture all by itself.
Charles suggested snagging the private key from the CA. That's exactly
the kind of attack a smart adversary would take. It's way less expensive
and more likely to result in exfiltration of cleartext.
If the CA is breached, then the issued certs are just as invalid on day
one as they are on day 398. In that case, what has the shortened
lifetime bought us?
This is not to say that fast cycle advocates are idiots. Most of them
are prolly way smarter than I am. It's just that they stopped short of
solving the real problem. (And some of them are opportunists: if they
can get you to buy their wares in a panic, then they've made a pretty
penny and can retire sooner.)
I almost regret this note because I haven't really offered a solution.
Some say "security is a process". I hate that slogan, but it's kinda
true. I DO say that we're foolish to try and shrink-wrap security into
store-shelf remedies. There's no alternative to educating the staff.
-- R; <><
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
