#soylent | Logs for 2025-12-05
« return
[00:02:30] <kolie2> I mean that's done in the name of security - the cert lifetimes.
[00:02:39] <kolie2> https://www.digicert.com
[00:02:39] <systemd> ^ �03TLS Certificate Lifetimes Will Officially Reduce to 47 Days�
[00:02:56] <chromas> Circling back to the start of the conversation ;)
[00:03:41] <kolie2> yea cert jacking is a thing.
[00:04:02] <kolie2> And too, not all certs, are presented over dns validated channels.
[00:04:52] <kolie2> I think it would be entirely REASONABLE for browsers to not red flag self signed certs IF they have DNSSEC+Dane Validation.
[00:05:08] <kolie2> It would be entirely optional, and not a replacment to CA land.
[00:11:14] <kolie2> The latency in the current model is often hidden or "cheated" (by stapling or soft-failing). DANE forces that latency to happen up front and strictly.
[00:19:54] <AlwaysNever> Currently, CAs validate certificate mainly using "domain validation" or "email validation", both validation system depend on plain old unencrypted DNS, therefore if unencrypted DNS is good enough for CAs issued certificates, it should be good enough to publish the public key of a self-signed certificate
[00:21:32] <AlwaysNever> but that would end the CA business, and the ability of States to impersonate websites via "amenable" CAs
[00:22:18] <kolie2> I wonder how many browser support RFC9102 currently.
[00:23:06] <chromas> Probably neither of the only two important ones
[00:23:43] <kolie2> Chrome had it, but removed it.
[00:24:03] <chromas> Classic Chrome
[00:26:25] <kolie2> https://blog.apnic.net
[00:26:30] <systemd> ^ �03DNS-OARC 30: Bad news for DANE�
[00:26:36] <chromas> My screen's been flashing white bars all day. Must have overbaited with StableDiffusion
[00:28:49] <AlwaysNever> I really wish Let's Encrypt ceases operation, for the entire Internet to feel the pain of the 30-day-duration certificates the CA/Browser forum wants to impose
[00:29:26] <AlwaysNever> you will either pay up, of be expelled
[00:30:28] <chromas> Maybe ZeroSSL will do theirs for longer
[00:31:06] <chromas> I used them for a little bit for the free cert, but had to switch away because the server kept jacking off instead of giving cert
[00:31:22] <kolie2> I think the browser dudes will stop accepting expirations over TIME_IN_DAYS, slowing ratcheting lower till 47 days in 2029
[00:32:29] <AlwaysNever> they want people to buy their expensive "certificate automation" solution, only the Let's Encrypt ACME Agent it fooling their plans
[00:32:42] <AlwaysNever> I say, let them win, let's share the pain
[00:48:02] <kolie2> I think the lower times are coming from the free cert peeps, not the incumbents.
[00:54:13] <kolie2> I think there is some false equivalency in saying they are using plain DNS to do domain validation AlwaysNever
[00:54:42] <kolie2> I get the point being brought - but there is a difference in vantage point.
[00:54:45] <AlwaysNever> but they are using plain DNS to validate cert requests
[00:54:57] <kolie2> When LE or DigiCert like verify the domain, they use a plain dns txt/a record right
[00:54:58] <kolie2> sure.
[00:55:21] <kolie2> The difference I think is, how that is accomplished - The browser (victim) doing this in a coffe shop for example
[00:55:30] <kolie2> that dns traffic goes through one pipe, the coffee shop router right
[00:55:43] <kolie2> if that router is malicious, isp comrpomised, it lies, it spoofs dns sure.
[00:55:54] <kolie2> The browser has a single easily comrpomised point of view.
[00:56:01] <kolie2> The CA though, they have god view.
[00:56:17] <kolie2> They don't just look up DNS - they do a multi perspective validation - LE for example
[00:56:32] <AlwaysNever> yes, but the it would be the push needed to migrate to DNSSEC
[00:56:44] <kolie2> They dont just check from their main server, they do dns lookups from aws, google, azure, servers in europe, asia, us, to spoof that CA check, they cant just hack a router local.
[00:56:51] <kolie2> Its BGP hijacing across the globe.
[00:57:01] <kolie2> I agree.
[00:57:27] <kolie2> The clear dns stuff, is also signed.
[00:57:51] <kolie2> Confidentialty vs Integrity on that one.
[00:58:00] <AlwaysNever> also migrating to DNSSEC is mainly transparent to end users and IT operators, the problem is outsourced to the Hostmaster
[00:58:32] <kolie2> Are we talking strictly dnssec or dnssec+dane
[00:59:09] <kolie2> I'd love to see both side by side. You want to sign with a CA, great, you want to self sign and issue dane, great.
[01:00:07] <AlwaysNever> DNSSEC is what would allow to securely migrate to publishing the public key of self signed certs in DNS; DANE is just one way to do that
[01:00:11] -!- bender has quit [Remote host closed the connection]
[01:00:21] -!- bender [bender!bot@Soylent/Bot/Bender] has joined #soylent
[01:01:22] -!- Loggie [Loggie!Loggie@Soylent/BotArmy] has joined #soylent
[01:01:41] <AlwaysNever> it already happens that the public key for DKIM is published in plain DNS
[01:02:33] <AlwaysNever> just let's do the same for SSL, and let's secure DNS with DNSSEC, that means only annoying the Hostmaster and not the whole IT ecosystem
[01:03:33] <AlwaysNever> and therefore, let's get rid of CAs selling their smoke and mirrors
[01:05:49] <AlwaysNever> because DNS is mainly managed by hosting providers and ISPs, they would bear the burden of DNSSEC, and not EVERYONE in IT
[01:07:00] <kolie2> thats dane in a nutshell.
[01:08:27] <AlwaysNever> the CA ecosystem was a Netscape idea of 1995, and it is a hellish idea
[01:09:01] <AlwaysNever> then certs could last 10 years, so it was fine
[01:09:23] <AlwaysNever> it was a setup and forget it affair
[01:28:38] -!- AlwaysNever has quit [Read error: Connection reset by peer]
[02:26:19] -!- AlwaysNever [AlwaysNever!~donaldo@315.38.1.669.dynamic.jazztel.es] has joined #soylent
[03:06:06] -!- kyonko [kyonko!SOY@2001:5b0:50c6:tous:tgjo:tyvm:yrxn:hiou] has joined #soylent
[03:35:04] <kolie2> More inside baseball: https://soylentnews.org
[03:35:05] <systemd> ^ �03Journal of kolie (2622)�
[08:01:33] -!- kyonko has quit [Read error: -0x1: ERROR - Generic error]