[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029

Andrew Lee andrew at joseon.com
Thu Apr 17 12:04:19 EDT 2025 

On Apr 17, 2025, at 3:13 AM, iang <iang at iang.org> wrote:
> 
> 
> That causality should be shown not manifestly assumed. Although 
> heretical, it is instructive to ask how many of these rampant MITM 
> attacks actually happen. There is a perfect stability where there are 
> zero MITM attacks and the certificate system works perfectly to prevent 
> them.

Exactly, and the answer regarding MITM attacks is quite a ways distant from zero.

> Much the same thing happened with cafe wifis - there 
> were a few anecdotal reports of sniffers, but no apparent MITM business 
> model emerged (probably for the obvious reasons).
> 

There were a number of promiscuous network cards and Wireshark instances hovering around at one point, but the proliferation of “VPN services" helped to mitigate somewhat (or at a minimum prevented the local wifi adversary).

> If you go back into the history of the thing, the evil MITM was like a 
> religious devil that was much talked about and never seen. And when the 
> first real MITMs turned up around 2003 (they called themselves phishers) 
> they bypassed the certificate system so cleanly that nobody much 
> noticed. In fact, some of them experimented with falsely aquired certs 
> but gave that up and just used raw HTTP.
> 

I would go even further and say that the phisherman actually used the “trusted green lock” to make their phishing pages look more legitimate. Setting up a Cloudflare-style honeypot/mitm reverse proxy system is a school-kid level trivial exercise after all as long as it’s not a massive multiuser global honeypot of course :P

> Which surfaces the real harm of the certificate industrial complex - 
> when real attackers turned up, the certificate system got in the way of 
> efforts to evolve new security methods.

> 
> In short, the certificate system was a mostly harmless fashion statement 
> until actual attackers turned up. Then it turned into a millstone around 
> the necks and caused us a LOT of cost. But no matter, the certificate 
> industrial complex will continue to fiddle around with the numbers of 
> days and block real security work until some cataclysm comes and cleans 
> it out.
> 
> iang
> 


My sentiments exactly through and through, and thank you for taking the time to publish such a thoughtful response. It’s important that those of us on this mailing list, who not only care and have the will, but also have the skill to do something about it, understand the mission itself.

Even a single failure is the end of a ’secure’ system.

In the case of the certificate industrial complex, it is completely authentication theater. Regulation needs to GTFO the private space and anyone for it is clearly a spook or has some vested interest in said certificate industrial complex (racket and cabal sound more accurate to me when I analyze the dictionary, but I like this nomenclature too).

Technology evolves when there are no blocks in place - and you can see it in other sectors.

There were some arguments about # of round trips/speed/whatnot in terms of various web requests. I can understand that. But, give me one good argument for not adopting something different and better (single truth blockchain, or at the least a multi signer system, etc). Certainly, you can’t use the same argument.

The only one I can think of is the CEO/Shareholders of these CAs going ‘but muh lambo’ as they vroom off without having even output as much as Hello World in their computer career.

Anyway, this ‘certificate industrial complex’ really needs to be dealt with. How many MITM’s happened and nobody was sued for it? There’s nobody to take responsibility and blame for a broken system but there is someone taking responsibility for control of progress therein. It’s too confusing for the non technically-literate people who were injured to realize that you could actually sue someone due to the monstrous blur of organizational structure so nobody did it. So sad.

Can’t get any worse.

If someone/a third party entity can be simply socially engineered to reduce your own cryptographic security and authenticity, then you’re doing it wrong. Plain and simple.

It’s actually a pretty serious disappointment to even see that there was even a single defender of the industrial complex, but everyone can learn. You only stop learning when you’re done - and nobody here is done, because we’re here to do - to improve the human condition with cryptography.

Thanks again iang for your thoughtful response and for making sure people wake up and realize what the situation has been.

- Andrew

More information about the cryptography mailing list