undefined | Better HN

0 pointscrote1y ago0 comments

Stuff like this is why some parties have been calling for increasingly-shorter cert validity. When a cert is valid for several years it allows companies to develop an increasingly complex workflow around deploying them, sometimes taking weeks and involving dozens of parties to roll them out. This is in turn used as an excuse by CAs to completely ignore the industry standards.

Those SaaS vendors probably shouldn't be doing cert pinning to begin with. If you don't trust your root store either implement support for CAA or DANE, no need to roll out your own workflow. Those hardware devices should either 1) not use publicly trusted certs, 2) renew their own certs, or 3) have an API to automatically update certs.

The only reason they're still getting away with it is because doing it manually once a year isn't horribly painful. If 90-day validity becomes the industry standard, pain-free certificate renewal turns into a must-have for all new contracts.

0 comments

CaliforniaKarl1y ago

> Stuff like this is why some parties have been calling for increasingly-shorter cert validity. When a cert is valid for several years it allows companies to develop an increasingly complex workflow around deploying them, sometimes taking weeks and involving dozens of parties to roll them out. This is in turn used as an excuse by CAs to completely ignore the industry standards.

"several years"? The certs we are getting have one-year lifetimes. It used to be two years, but was reduced to one year some time ago (I don't remember exactly when).

Also, I don't think the problem is cert lifetimes, I think the problem is having so many certs expiring all at the same time. A lot of IT folks are coming off the major pain of the CrowdStrike crash. This is similar: You suddenly have a very large number of certificates that are going to stop working in less than 24 hours, and you have to respond.

Sure, you could say "Well, companies should be resourced to be able to handle that at any point." Except that's not the reality right now.

devrand1y ago

I think they're suggesting that 1 year certificates are still at the point where people can just manually rotate them as they expire. If you keep reducing the lifespan, to say 90 days, that starts to tip the scale. You'll be spending too much human time manually rotating certificates that it will make financial sense to just automate the process.

If the process is automated then revocation can be automatically handled as well (so long as ARI gains traction).

nickf1y ago

90 day certificates will be here soon, and moving to shorter lifetimes from there.

devrand1y ago

Heck, subscribers could go to 10 day certs today (soon 7) and be immune from revocation entirely.

icedchai1y ago

I work with customers that typically take 3 or 4 days to either acquire or renew a cert. Even though they are on one of the major cloud provider with automated certs, they refuse to use those mechanisms due to policy. They would rather send everything, including private keys, through email. They also take several days, sometimes weeks, to update a DNS entry. Welcome to modern IT.

alex347781y ago

Trying to deploy SaaS apps for customers it sometimes takes 3-4 weeks to get them to make any DNS changes, then at the last minute they CC us into an email with SquareSpace support for some reason (their DNS is on Cloudflare...)

icedchai1y ago

I believe it. It's insane how long some of this stuff takes.

alex347781y ago

I think the issue is less with SaaS vendors doing cert pinning and more that many SaaS vendors offering deploying on customer domains often rely on those same customers to make the DNS changes for validation, and whenever you introduce another party like that it's exponentially more difficult to actually get things done in a timely matter.

IMO they should just use HTTP challenges to avoid this whole thing, but it's a pretty common pattern I see with a lot of SaaS vendors, even major fintechs.

devrand1y ago

That's one option. Alternatively, they could just delegate the _acme-challenge with a CNAME.

If clientportal.somebank.com is actually run by somesaas.com, they can define CNAME _acme-challenge.clientportal.somebank.com --> [some_key].domainvalidations.somesaas.com

When the SaaS vendor needs to request a new cert, they set the appropriate TXT record on [some_key].domainvalidations.somesaas.com.

j / k navigate · click thread line to collapse

0 comments

CaliforniaKarl1y ago

"several years"? The certs we are getting have one-year lifetimes. It used to be two years, but was reduced to one year some time ago (I don't remember exactly when).

Sure, you could say "Well, companies should be resourced to be able to handle that at any point." Except that's not the reality right now.

devrand1y ago

If the process is automated then revocation can be automatically handled as well (so long as ARI gains traction).

nickf1y ago

90 day certificates will be here soon, and moving to shorter lifetimes from there.

devrand1y ago

Heck, subscribers could go to 10 day certs today (soon 7) and be immune from revocation entirely.

icedchai1y ago

alex347781y ago

icedchai1y ago

I believe it. It's insane how long some of this stuff takes.

alex347781y ago

IMO they should just use HTTP challenges to avoid this whole thing, but it's a pretty common pattern I see with a lot of SaaS vendors, even major fintechs.

devrand1y ago

That's one option. Alternatively, they could just delegate the _acme-challenge with a CNAME.

If clientportal.somebank.com is actually run by somesaas.com, they can define CNAME _acme-challenge.clientportal.somebank.com --> [some_key].domainvalidations.somesaas.com

When the SaaS vendor needs to request a new cert, they set the appropriate TXT record on [some_key].domainvalidations.somesaas.com.

j / k navigate · click thread line to collapse