undefined | Better HN

0 points8organicbits3y ago0 comments

When a certificate expires, it can be removed from the CRL. If certificates never expire then the CRL grows without bound.

Also, checking CRL is implemented in different ways. Some checks may be "soft", where a connection failure to the CRL is ignored. You probably want this anyway, if the CRL goes offline you don't want the internet to break. An expiry check, on the other hand, works as long as your clock is accurate.

0 comments

moremetadata3y ago

You are forgetting something.

If you want to reinstall some old software, lets say MS Small Business Server 2000 or Small Business Server 2003 today, the certificates in the installation files prevent the installation of said software. So you wouldnt even get as far as being able to remove any certs.

Your only recourse is change the system date and time back to before the certificates in installation files would have expired.

Besides being a stealth way to prevent old software from being reinstalled, it narrows down the window of opportunity for hackers.

I used to automatically issue certs for my own servers which lasted 24hr's because if a hacker had got in to my system without me knowing which is a real possibility, at least an expired cert being used by someone else would highlight this problem.

As it happened, despite locking everything down to packet level and controlling the packets, my devices were just prevented from getting online. My ISP at the time TalkTalk had a very responsive system, issuing new IP address every 2 seconds in a bid to prevent me from hosting a website, with a domain name using dynamic ip address domain name service.

There is way more surveillance than most people realise at least here in the UK.

Thorrez3y ago

>If you want to reinstall some old software, lets say MS Small Business Server 2000 or Small Business Server 2003 today, the certificates in the installation files prevent the installation of said software. So you wouldnt even get as far as being able to remove any certs.

I think at least in some cases it'll still work. What matters is that the signature was created while the cert was still valid, not that the installation happens when the cert is valid. How do we prevent backdating attacks? By using a separate timestamp signature.[1]

TLS is different. It requires the cert-holder (aka webserver) to be online at all times. You don't need to be able to validate a signature created in the past. So TLS doesn't have this problem and thus doesn't need its solution (timestamp signatures).

[1] https://stackoverflow.com/a/3428386

t0mas883y ago

What? 2 seconds? That sounds crazy. It either breaks ongoing connections or wastes addresses since you would have to keep your old one until all connections are closed.

derefr3y ago

It probably wasn't really "issuing a new IP address" per se, but rather CGNAT, where your apparent IP from the perspective of an IP reflector would be the IP of whichever NAT gateway your outgoing connection had been round-robin-load-balanced onto. Under CGNAT, you don't really have any single public IP; or rather, in another sense, you (and 100k other people) "have" all N public IPs at once — just like devices on a NATed home network all share the one IP address assigned to the gateway router in front of the NAT, and would all "have" multiple addresses if that gateway-router were multi-homed.

1 more reply

SAI_Peregrinus3y ago

Code signing certificates are NOT TLS certificates. Old code signing certs are an entirely different issue from old TLS server certs.

j / k navigate · click thread line to collapse