mersenneforum.org  

Go Back   mersenneforum.org > Math Stuff > Tales From the Crypt(o)

Reply
 
Thread Tools
Old 2016-01-26, 23:12   #12
Madpoo
Serpentine Vermin Jar
 
Madpoo's Avatar
 
Jul 2014

331710 Posts
Default

Quote:
Originally Posted by Madpoo View Post
...
Lets Encrypt does the basic DNS verification... nothing more. It's good enough, and it's low cost to them.
...
I'm going to suck it up and correct myself... they verify by either having the requester add a specific DNS record (proving they actually control that domain) or by adding a resource to the root website for the domain.

Shows what I know... last time I looked at it was summer last year and I forgot some of those details. Whoops.

All that other junk (now that I'm refreshing my memory) about the client and auto-refreshing... bah, I didn't care about all that junk. If you can't figure out how to create a request and submit it I guess they're trying to make it all easier, but whatever.
Madpoo is offline   Reply With Quote
Old 2016-01-28, 02:29   #13
frmky
 
frmky's Avatar
 
Jul 2003
So Cal

2·3·7·53 Posts
Default

In related news, NFS@Home now supports SSL.
frmky is offline   Reply With Quote
Old 2016-01-29, 16:26   #14
jasonp
Tribal Bullet
 
jasonp's Avatar
 
Oct 2004

3×1,181 Posts
Default

Quote:
Originally Posted by frmky View Post
In related news, NFS@Home now supports SSL.
Why a certificate with a 3-month lifetime?
jasonp is offline   Reply With Quote
Old 2016-01-29, 17:29   #15
lavalamp
 
lavalamp's Avatar
 
Oct 2007
Manchester, UK

2·3·227 Posts
Default

Quote:
Originally Posted by jasonp View Post
Why a certificate with a 3-month lifetime?
This seemed odd to me as a year would seem like the standard length.

Here is some discussion on it:
https://community.letsencrypt.org/t/...lifetimes/4621

Last fiddled with by lavalamp on 2016-01-29 at 17:29
lavalamp is offline   Reply With Quote
Old 2016-01-30, 06:53   #16
frmky
 
frmky's Avatar
 
Jul 2003
So Cal

2·3·7·53 Posts
Default

Quote:
Originally Posted by jasonp View Post
Why a certificate with a 3-month lifetime?
No clue, but unlike Aaron I have no desire to figure out the format to submit a renewal request and am happy to let a daily cron job (as they suggest) do it for me. Here's hoping it just renews itself as promised. We'll see in 2 months.
frmky is offline   Reply With Quote
Old 2016-02-01, 04:53   #17
Madpoo
Serpentine Vermin Jar
 
Madpoo's Avatar
 
Jul 2014

331710 Posts
Default

Quote:
Originally Posted by lavalamp View Post
This seemed odd to me as a year would seem like the standard length.

Here is some discussion on it:
https://community.letsencrypt.org/t/...lifetimes/4621
I agree with every single one of these cons:
Quote:
Cons:
  • Automated issuance is not yet supported in lots of popular web servers (Azure and IIS in particular).
  • Common non-HTTPS servers (IRC, mail, VPN) may require a restart to load new certificates. Ninety-day certs mean six server restarts per year instead of one, interrupting long-lived connections more frequently.
  • Automated deployment of renewed certificates to routers, firewalls, and Internet of Things devices is difficult.
  • Some operators choose not to run any automated renewal software on their servers. Manually renewing every 60 days is burdensome.
  • More frequent renewals increase the chance that a renewal may fail repeatedly for 30 days while an operator is unavailable, leading to an outage.
  • The official client's renewal implementation still needs work.
  • Some people consider encouraging automated issuance and renewal to be scope creep for Let's Encrypt.
I do NOT agree with any of the supposed pros:
Quote:
Pros:
  • When an attacker compromises a certificate's private key, they may bypass revocation checks34 and use that certificate until it expires. Shorter lifetimes decrease the compromise window in situations like Heartbleed9.
  • Offering free certificates with a shorter lifetime provides encouragement for operators to automate issuance. Automated issuance decreases accidental expiration, which in turn may reduce warning-blindness in end-users.
  • Let's Encrypt's total capacity is bound by its OCSP signing capacity, and LE is required to sign OCSP responses for each certificate until it expires. Shorter expiry period means less overhead for certificates that were issued and then discarded, which in turn means higher total issuance capacity.
So, yeah, they really screwed up the implementation.
Madpoo is offline   Reply With Quote
Old 2016-02-01, 09:31   #18
xilman
Bamboozled!
 
xilman's Avatar
 
"π’‰Ίπ’ŒŒπ’‡·π’†·π’€­"
May 2003
Down not across

11·17·59 Posts
Default

Quote:
Common non-HTTPS servers (IRC, mail, VPN) may require a restart to load new certificates. Ninety-day certs mean six server restarts per year instead of one, interrupting long-lived connections more frequently.
Severe security holes which require a restart are actually quite common --- assuming you are paying attention of course. One restart per annum strongly suggests that you are not paying attention.

Anyway, 6*90 is markedly greater than 365.25
xilman is online now   Reply With Quote
Old 2016-02-01, 13:41   #19
lavalamp
 
lavalamp's Avatar
 
Oct 2007
Manchester, UK

2×3×227 Posts
Default

Quote:
Originally Posted by xilman View Post
Anyway, 6*90 is markedly greater than 365.25
I think the recommendation is to auto-renew every 2 months.
lavalamp is offline   Reply With Quote
Reply

Thread Tools


Similar Threads
Thread Thread Starter Forum Replies Last Post
Special project #3b - Project 400 schickel Aliquot Sequences 307 2011-10-28 01:29
Special project #3a - Project 300 schickel Aliquot Sequences 29 2011-08-12 17:45
Possible new project for RPS robert44444uk Riesel Prime Search 1 2010-04-30 22:01
pi(x) project ATH Miscellaneous Math 4 2006-08-30 17:59
new project ? junky NFSNET Discussion 14 2004-06-03 08:59

All times are UTC. The time now is 09:26.


Tue Dec 7 09:26:12 UTC 2021 up 137 days, 3:55, 0 users, load averages: 1.55, 1.44, 1.42

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.

This forum has received and complied with 0 (zero) government requests for information.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.
A copy of the license is included in the FAQ.