this post was submitted on 16 Oct 2024

176 points (90.7% liked)

Technology

58719 readers

4914 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each another!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, to ask if your bot can be added please contact us.
Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago

MODERATORS

[email protected]

176

Sysadmins slam Apple’s SSL/TLS cert lifespan cuts (www.theregister.com)

submitted 1 day ago by [email protected] to c/[email protected]

74 comments fedilink hide all child comments

(page 2) 24 comments

sorted by: hot top controversial new old

[–] [email protected] 7 points 1 day ago

time to shine for DANE (actually no since the world sucks)

[–] [email protected] 15 points 1 day ago (8 children)

spending $300 every 90 days instead of 365 days is so much better /s

i hate apple so much

load more comments (8 replies)

[–] [email protected] 15 points 1 day ago (1 children)

Smells like Apple knows something but can’t say anything. What reason would they want lifespans cut so short other than they know of an attack vector that means more than 10 days isn’t safe?

AFAIK they’re not a CA that sells certs so this can’t be some money making scheme. And they’ll be very aware how unpopular 10 day lifespans would be to services that suck and require manual download and upload every time you renew.

[–] [email protected] 4 points 1 day ago

This'll never happen. The rest of the computing world will just say "nah, get fucked"

[–] [email protected] 3 points 1 day ago (1 children)

Sounds like free money for all those certificate authorities out there. Imma start my own CA with blackjack and hookers.

[–] [email protected] 8 points 1 day ago

Or... They do what they did last time the lifetime was cut down from 3-10 years down to 395 days... Just issue you a new certificate when the old one runs out and up to whatever the time period you bought it for...?

Let's Encrypt isn't the only CA to use ACME, you can auto renew with basically any CA that implemented it (spoiler: most of them have)

[–] [email protected] -3 points 1 day ago (1 children)

Good, certificates should be automated anyways. Much more reliable than the once yearly outages because nobody renewed the thing or forgot some systems.

[–] [email protected] 24 points 1 day ago (2 children)

Good, certificates should be automated anyways.

The problem being when that can't be easily automated? Did you read the article?

[+] [email protected] -7 points 1 day ago (3 children)

They should be automated too.

The fact that I can't use terraform to automatically deploy certs to network appliances is a problem.

[–] [email protected] 5 points 1 day ago (1 children)

Ugh. Righteous ideas about how things should work don't change the fact that these network appliances doing it the wrong way still have years of time left before the bean counters consider them depreciated and let us replace them. Or that we're locked into a multi-year contract with this business system that requires updating certs through a web UI.

Yes, there are almost always workarounds and ways to still automate it in the end, but then it's a matter of effort vs stability vs time savings.

I love automating manual sysadmin actions, it's my primary role on my team. Still, ignoring the complications that will unavoidably arise in trying automating this for every unique setup is incredibly foolish.

[–] [email protected] -4 points 1 day ago

By this logic, we should still be using copper phone lines, analog TV, and 3G should never get switched off. Obviously there are always budget constraints but technological progress does not wait for shitty vendors.

I work mainly in cloud and Kubernetes environments where this stuff is already automated. New vendors are often just deploying new containers into a cluster.

[–] [email protected] 7 points 1 day ago* (last edited 1 day ago) (1 children)

Technically, you shouldn't even deploy certs to network appliances or servers but they should fetch certificates automatically from a vault. I know there's minimal support for such things right now from some vendors, but that should be fixed by those vendors.

Even Microsoft supports such solutions in Azure both with PaaS components and Windows and Linux servers (in Azure or onprem) via extensions

[–] [email protected] 4 points 1 day ago* (last edited 1 day ago)

True.

cert-manager is an amazing tool for deploying certificates for containerized applications. There's no standardized way to deploy those certs outside of containers without scripting it yourself though, unfortunately.

load more comments (1 replies)

[–] [email protected] -3 points 1 day ago

Good incentive for the provider to fix it or go out of business.

load more comments