[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029

[Ron Garret]

> On Apr 22, 2025, at 5:32 PM, Paul Wouters <paul at nohats.ca> wrote:
> 
> All the CAbal exists only because of browsers refusing to do DNSSEC,

How is DNSSEC going to help mitigate a MITM attack?  If I MITM you, I don't need to spoof your DNS.  All I need to do is re-route your traffic to my server.  Without certificates, I can make my server indistinguishable from the server you are trying to talk to.  Indeed, even *with* certificates I can make my server indistinguishable from the one you are trying to talk to, it's just that I won't be able to actually read any of the content of the exchange,  But without certificates, I can not only read the content (which is bad enough) but I can also *change* the content, which is even worse.  So if you log in to your bank while connected to my network, I can not only steal your credentials and take all your money, as long as you are connected to my network I can make it appear to you as if everything is perfectly normal.  I can even, if I'm clever and dedicated, intercept your IMAP traffic and hide or delete the emails that your real bank is sending you to verify that you are really trying to wire all your money to Panama.

*That* is what certificates protect against.  DNSSEC will not help you at all because as long as you are connected to my hot spot, I control the entire Internet from your point of view, not just DNS.

rg