[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029

[iang]

On 18/04/2025 16:46, Peter Gutmann wrote:
> Kent Borg <kentborg at borg.org> writes:
>
>> I also saw Schneier once say that there is no need for password bullet
>> characters because shoulder-surfing is no longer a big problem. Except it is
>> *because* of obscured password typing that shoulder-surfing is no longer such
>> a problem.
> And it's entirely because I wear leopard-proof underwear that I've never been
> attacked by a leopard out in the street (although I did see one eating
> someone's face once).
>
> Arguably, blanking passwords actually makes things worse because you never get
> to see the password you're typing, leading to both problems in memorising
> passwords that you never see and ease of exploitation by attackers when people
> mistype their passwords, don't realise it, and instead try various other
> passwords on the assumption that they've entered the wrong one for the site
> (both of those are from password studies, and there's several more problems
> that are created through password blanking).  The real reason why they're
> blanked is because it was done that way on ASR-33s more than half a century
> ago and is now a required part of the login ceremony, along with getting three
> guesses at your password which is something I've never been able to find the
> origin of.


Not to mention, a lot of us are aging out, are half blind, have to pick 
and poke at tiny buttons on hyper-sensitive mobile phones, have 1000 
passwords recorded somewhere, and the errors this password bs generates 
creates a DOS all of its own.

All of this could have been bypassed if the browser/site system had 
simply negotiated a single-site self-signed certificate. But, oh, no, we 
can't encourage that because it will cause the chaos of ages, cute 
pupies will die and CAs won't earn their rent.

iang