undefined | Better HN

0 pointsSateallia1y ago0 comments

I got every self-hosting sysadmin I know to run certificate monitors for sites they maintain but it certainly isn't a common thing to do. I know Cloudflare has a beta certificate monitoring feature which would certainly help a lot with this problem considering their market share if they enable it by default. (Although one problem with this is that they issue backup certificates from other CAs so it'd easily trigger warning fatigue!)

(I wasn't aware of your credentials when I made my previous comment so I assumed you didn't know about mandatory certificate transparency which is a mistake on my part, sorry! I'll make sure to check profile about sections before I assume again.)

0 comments

amluto1y ago

> Although one problem with this is that they issue backup certificates from other CAs so it'd easily trigger warning fatigue!

Indeed, the fact that Cloudflare emails out CT warnings due to their own backup certs is rather embarrassing.

schoen1y ago

Yeah, I think it's tricky to know how most sysadmins could make good decisions about this information, especially when misissuance is likely to be less than 1% of 1% of all CA issuance and automated renewal is working properly. Warning fatigue is a pretty big deal here!

Also, we made Certbot randomize the subject key by default every time it renews, so you have a huge amount of churn in subject keys, so you can't just say "oh, well, this public key has been used for a long time, so it's probably correct!". Every subject key is typically new and is unrelated to every previous subject key.

I hope that won't turn out to have been a poor trade-off. (We thought it was good to have more turnover of keys in order to reduce the impact of successfully stealing or cryptographically attacking one.)

j / k navigate · click thread line to collapse