We have an unusual concern when we use Let's Encrypt
Chris Siebenmann raises concerns about Let's Encrypt's 6-day TLS certificates for large organizations like the University of Toronto, highlighting potential rate limit issues and risks of critical certificate expirations.
Read original article
Chris Siebenmann discusses concerns regarding the implementation of 6-day TLS certificates by Let's Encrypt, particularly in the context of a large organization like the University of Toronto. While he is not worried about Let's Encrypt's overall service reliability, he expresses anxiety about potential rate limit issues that could arise due to the high volume of certificate requests from the university. In the past, the university faced challenges with Let's Encrypt's initial rate limits, but these were resolved with changes to the issuance policies. However, the introduction of shorter certificate lifetimes could exacerbate the risk of hitting rate limits, especially if multiple requests coincide or if there is an unexpected surge in usage. With the current 90-day certificates, there is ample time to address any issues, but the 6-day certificates leave little room for error, particularly if renewals coincide with holidays or weekends. This situation could lead to critical certificates expiring without a timely renewal, which is a concern not typically faced by smaller organizations with less variable certificate needs.
- Let's Encrypt is introducing 6-day TLS certificates, raising concerns for large organizations.
- The University of Toronto may face rate limit issues due to high certificate request volumes.
- Previous rate limit challenges were resolved, but shorter certificate lifetimes increase risks.
- Limited renewal time could lead to critical certificate expirations during holidays or weekends.
- Smaller organizations may not experience the same level of concern regarding certificate renewals.
Related
Deutsche Telekom issued invalid certificates, hasn't revoked them since 6 months
Telekom Security faced delays in revoking TLS certificates, impacting critical infrastructures. Efforts were made to replace 336 certificates within 5 days, highlighting the need for faster procedures and customer sensitization. Mozilla raised concerns about the response, emphasizing the importance of compliance with industry standards.
Sysadmins rage over Apple's 'nightmarish' SSL/TLS cert lifespan cuts
Apple proposes reducing SSL/TLS certificate lifespans from 398 days to 45 days by 2027, aiming to enhance security, but system administrators are concerned about increased management workload and automation challenges.
TLS certificates were almost never particularly well verified
The article highlights weaknesses in TLS certificate verification, particularly reliance on manipulable WHOIS data, and suggests that while thorough verification is costly, there may be future improvements in the process.
Let's not Encrypt
The article critiques Let's Encrypt for creating a false sense of security, highlighting issues with certificate verification, automatic renewals, short validity, and concerns about its funding and long-term viability.
Short-Lived Certificates Coming to Let's Encrypt
Let's Encrypt will introduce six-day short-lived certificates next year to enhance TLS security by reducing key compromise exposure. The transition is expected to be seamless for subscribers due to automation.
2 commentsThe damage caused by having your resource become unusable I think in most or a lot of cases is greater than the damage caused by a key compromise. The first damage is absolute. It will happen if you don't recover in time. The second type of damage is hyperthetical somewhat.
But okay, I expect that there are some use cases where the second sort of damage is more of a concern.
Related
Deutsche Telekom issued invalid certificates, hasn't revoked them since 6 months
Telekom Security faced delays in revoking TLS certificates, impacting critical infrastructures. Efforts were made to replace 336 certificates within 5 days, highlighting the need for faster procedures and customer sensitization. Mozilla raised concerns about the response, emphasizing the importance of compliance with industry standards.
Sysadmins rage over Apple's 'nightmarish' SSL/TLS cert lifespan cuts
Apple proposes reducing SSL/TLS certificate lifespans from 398 days to 45 days by 2027, aiming to enhance security, but system administrators are concerned about increased management workload and automation challenges.
TLS certificates were almost never particularly well verified
The article highlights weaknesses in TLS certificate verification, particularly reliance on manipulable WHOIS data, and suggests that while thorough verification is costly, there may be future improvements in the process.
Let's not Encrypt
The article critiques Let's Encrypt for creating a false sense of security, highlighting issues with certificate verification, automatic renewals, short validity, and concerns about its funding and long-term viability.
Short-Lived Certificates Coming to Let's Encrypt
Let's Encrypt will introduce six-day short-lived certificates next year to enhance TLS security by reducing key compromise exposure. The transition is expected to be seamless for subscribers due to automation.