[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029

[Ron Garret]

> On Apr 24, 2025, at 1:02 AM, Shreyas Zare via cryptography <cryptography at metzdowd.com> wrote:
> 
> On 4/24/2025 1:42 AM, Ron Garret wrote:
>>> On Apr 22, 2025, at 5:32 PM, Paul Wouters <paul at nohats.ca> wrote:
>>> 
>>> All the CAbal exists only because of browsers refusing to do DNSSEC,
>>> 
>> How is DNSSEC going to help mitigate a MITM attack?  If I MITM you, I don't need to spoof your DNS.  All I need to do is re-route your traffic to my server.  Without certificates, I can make my server indistinguishable from the server you are trying to talk to.
> Its DNSSECC+DANE that prevents MITM attacks [1]. A web browser supporting DANE wont be vulnerable to the attacks you imagine at all. I guess most people arguing against DNSSEC do not know that DANE exists.

That was true in my case.  (Well, I knew it existed.  I didn't realize that it was implicitly being included in DNSSEC advocacy.)

> On the other hand, with traffic re-routing, you can get a SSL/TLS cert from LE if you are on-path to the web server that the domain name resolves to [2]. And then use that cert to do MITM on people you lured to use your public hot spot.

That is a very different scenario than the one I was referring to.  In order to get an LE cert you have to mount (at the very least) a BGP attack.  That is a lot harder than setting up a public wifi hotspot, and beyond the capabilities of most script kiddies.  If script kiddies could mount BGP attacks, the entire world economy would collapse overnight.

The problem with DANE is that no mainstream browsers support it.  Fixing that is probably as challenging as fixing BGP.

There is another tacit assumption floating around here that might explain some of the disconnects in this discussion: there is a big difference between providing secure connections when you control both end points of the connection, and providing a secure connection when you only control one end point.  If you control both ends and you don't like CA's there is a simple solution: don't use them.  Just run your own CA and your own DNS and anchor your trust in your own root cert.  Or run DANE.  Or run your own home-grown protocol.  Whatever.

The problem arises ONLY if you don't control one of the end points, i.e. if you want to run a server that you want someone to be able to access with a mainstream client.  In that case, your options become much more limited, and DANE is not among them at the moment.

But the fact that CA security is only as strong as the weakest CA is a very valid concern.  I think the best one could hope to do at the moment is to maintain their own list of trusted CAs and distribute that to the clients of their target audience, but even that would be a very tough sell for most people.

rg