this post was submitted on 16 Oct 2024
176 points (90.7% liked)

Technology

58719 readers
4914 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
176
Sysadmins slam Apple’s SSL/TLS cert lifespan cuts (www.theregister.com)
submitted 1 day ago by [email protected] to c/[email protected]
74 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 6 points 23 hours ago (2 children)

As someone who creates custom domain name applications, FUCK THEM WITH A PINEAPPLE SPIKY SIDE FIRST. This problem is on par with timezones for needless complexity and communication disasters. Companys and advertisers are now adding man in the middle certs for additional data collection/visibility. If the ciphers not cracked, changing the certs exposes significantly more failure, than letting one get a little stale.
Sysadmin used slam! It's super effective!

[–] [email protected] 3 points 10 hours ago (1 children)

Why not just autorenew on a schedule?

I use Lets Encrypt, and my certs get renewed automatically without me thinking about it.

[–] [email protected] 3 points 7 hours ago (1 children)

Mostly customer provided certs, high end clients make all kinds of stupid requests like the aforementioned man-in-the-middle chain sniffers, clients that refuse DNS validation, clients that require alternate domains to be updated regularly. Management is fine for mywebsite.com, but how are you solving an EV on the spoofed root prod domain, with an sso cert chain for lower environments on internal traffic that is originally provided by a client? And do you want the cs reps emailing each other your root cert and (mistakingly) the key? I've been given since SCARY keys by clueless support engineers. I don't want to do this every 3 months.

[–] [email protected] 1 points 6 hours ago (1 children)

Sounds like a change in company policy, because AFAIK, there's no good reason for pretty much any of that.

[–] [email protected] 2 points 6 hours ago

Sounds like you don't do contact negotiations, if someone will pay 2 million to appear on their root domain, you'll sit down and figure it out for a couple hours.

[–] [email protected] 3 points 19 hours ago (1 children)

Unrelated to the topic, but I deal with a database storing timestamps.

In local time.

For systems all around the world.

You'll see current entries timestamped 12:28 from eastern Europe followed by ones 6:28 from America and then another 11:28 from central Europe.

Without offset.

[–] [email protected] 4 points 10 hours ago

Ew. Just store UTC timestamps and do optional translation on the client using whatever the client sets up for their timezone. It's not hard...