[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029
Seth David Schoen
schoen at loyalty.org
Mon Apr 21 21:06:05 EDT 2025
Ron Garret writes:
> > On Apr 21, 2025, at 2:38 PM, iang via cryptography <cryptography at metzdowd.com> wrote:
> >
> > Which is (1) the evidence-free assertion. Are we protecting ourselves against a rainbow unicorn attack? It matters less if the defence works than if rainbow unicorns actually do attack.
>
> But you don't have to posit rainbow unicorns. All you need is a script kiddie with a Raspberry Pi, and those are not mythical creatures. It seems pretty implausible that no one would attempt MITM attacks if it were possible to conduct them with low effort and low risk.
An example that drove a fair amount of HTTPS adoption at the time was
Firesheep (2010)
https://en.wikipedia.org/wiki/Firesheep
which made it very easy to do cookie-stealing from HTTP connections on
the LAN. HTTPS defends against this well. HTTPS would still defend
against this well even if it didn't protect against active MITMs, but
then it seems plausible that we'd have a Firesheep+MITM equivalent tool.
There are lots of things out there with that functionality, and they could
probably be made as easy for a local attacker to use as Firesheep was,
if the victim wouldn't get a certificate warning as a result.
More information about the cryptography
mailing list