![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Apple wants to cut security certificate lifes from a year to 45 days, Google to 90
Wow.
So first, a bit of a backgrounder, i.e., just WTF is a certificate?
In simple terms, it's a file that contains a piece of encryption. The internet and World Wide Web relies on these certificates to try to keep everything secure and to prevent people from spying on your information while it flies across the thousands of miles while it travels between servers and devices. They exist in your computers, smart phones and watches, tablets, TVs, DVD/Bluray players, XBoxes, WiFi devices: honestly it's probably hard to find electronic devices that communicate with other devices that don't have security certificates.
Here's the thing. Just like passwords, it's desirable that certificates be replaced to keep their security strong. You are encouraged to change your passwords, sometimes forced, same thing with certificates.
End of backgrounder.
Bad guys use the long lives of certificates to exploit software and operating vulnerabilities. It's not easy, but it can be done. Typically a certificate is good for a little over a year, and from an IT crew's perspective, they're installed on servers and routers and switches and stuff. And most of it is automated....
And therein is the rub.
It isn't all automated. And updating certificates can be a major PITB when it isn't automated, and if the update goes bad, that device can stop working, can become inaccessible, and become a major headache to get it working again.
And now Apple and Google want to change that annual agony for IT departments everywhere to every 45 to 90 days?!
Now, I can see the point of A&G. Shortening the length that certificates live will reduce the vulnerability window that hackers have access to exploit some aspects of operating systems and other things. Once that certificate expires, lots of vulnerabilities cease being available to exploitation. But dealing with certificates is a delicate thing, and as I said, not every device lets you update its certificates automatically, and if the update fails, it can brick the device, requiring serious intervention.
YEESH! Makes me so glad that I never worked on that particular sector of security administration.
https://www.theregister.com/2024/10/15/apples_security_cert_lifespan/
https://www.chromium.org/Home/chromium-security/root-ca-policy/moving-forward-together/
https://apple.slashdot.org/story/24/10/15/2324206/sysadmins-rage-over-apples-nightmarish-ssltls-cert-lifespan-cuts
So first, a bit of a backgrounder, i.e., just WTF is a certificate?
In simple terms, it's a file that contains a piece of encryption. The internet and World Wide Web relies on these certificates to try to keep everything secure and to prevent people from spying on your information while it flies across the thousands of miles while it travels between servers and devices. They exist in your computers, smart phones and watches, tablets, TVs, DVD/Bluray players, XBoxes, WiFi devices: honestly it's probably hard to find electronic devices that communicate with other devices that don't have security certificates.
Here's the thing. Just like passwords, it's desirable that certificates be replaced to keep their security strong. You are encouraged to change your passwords, sometimes forced, same thing with certificates.
End of backgrounder.
Bad guys use the long lives of certificates to exploit software and operating vulnerabilities. It's not easy, but it can be done. Typically a certificate is good for a little over a year, and from an IT crew's perspective, they're installed on servers and routers and switches and stuff. And most of it is automated....
And therein is the rub.
It isn't all automated. And updating certificates can be a major PITB when it isn't automated, and if the update goes bad, that device can stop working, can become inaccessible, and become a major headache to get it working again.
And now Apple and Google want to change that annual agony for IT departments everywhere to every 45 to 90 days?!
Now, I can see the point of A&G. Shortening the length that certificates live will reduce the vulnerability window that hackers have access to exploit some aspects of operating systems and other things. Once that certificate expires, lots of vulnerabilities cease being available to exploitation. But dealing with certificates is a delicate thing, and as I said, not every device lets you update its certificates automatically, and if the update fails, it can brick the device, requiring serious intervention.
YEESH! Makes me so glad that I never worked on that particular sector of security administration.
https://www.theregister.com/2024/10/15/apples_security_cert_lifespan/
https://www.chromium.org/Home/chromium-security/root-ca-policy/moving-forward-together/
https://apple.slashdot.org/story/24/10/15/2324206/sysadmins-rage-over-apples-nightmarish-ssltls-cert-lifespan-cuts
no subject
no subject
(Or are we supposed to be living in a post-password world, now? FFS)
no subject
Yeah. I should read the full article on that and post about it. I read about it a week or two ago.
no subject
https://xkcd.com/463/
https://xkcd.com/936/
no subject
lol.........
Hugs, Jon
no subject
no subject
The funny thing is, Google has definitely been seriously bitten by update failures, they should know that sometimes things just don't work quite right. I expect Apple has, too. Aspirationally, it's admirable. Realistically, I'm not so sure.