Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Monday February 24 2020, @07:05PM   Printer-friendly
from the honestly,-it's-for-your-own-good... dept.

Apple drops a bomb on long-life HTTPS certificates: Safari to snub new security certs valid for more than 13 months:

Safari will, later this year, no longer accept new HTTPS certificates that expire more than 13 months from their creation date. That means websites using long-life SSL/TLS certs issued after the cut-off point will throw up privacy errors in Apple's browser.

The policy was unveiled by the iGiant at a Certification Authority Browser Forum (CA/Browser) meeting on Wednesday. Specifically, according to those present at the confab, from September 1, any new website cert valid for more than 398 days will not be trusted by the Safari browser and instead rejected. Older certs, issued prior to the deadline, are unaffected by this rule.

By implementing the policy in Safari, Apple will, by extension, enforce it on all iOS and macOS devices. This will put pressure on website admins and developers to make sure their certs meet Apple's requirements – or risk breaking pages on a billion-plus devices and computers.

[...] Shortening the lifespan of certificates does come with some drawbacks. It has been noted that by increasing the frequency of certificate replacements, Apple and others are also making life a little more complicated for site owners and businesses that have to manage the certificates and compliance.

"Companies need to look to automation to assist with certificate deployment, renewal, and lifecycle management to reduce human overhead and the risk of error as the frequency of certificate replacement increase," Callan told us.

We note Let's Encrypt issues free HTTPS certificates that expire after 90 days, and provides tools to automate renewals, so those will be just fine – and they are used all over the web now. El Reg's cert is a year-long affair so we'll be OK.

GitHub.com uses a two-year certificate, which would fall foul of Apple's rules though it was issued before the cut-off deadline. However, it is due to be renewed by June, so there's plenty of opportunity to sort that out. Apple's website has a year-long HTTPS cert that needs renewing in October.

Microsoft is an interesting one: its dot-com's cert is a two-year affair, which expires in October. If Redmond renews it for another two years, it'll trip up over Safari's policy.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Pino P on Tuesday February 25 2020, @04:24AM (10 children)

    by Pino P (4721) on Tuesday February 25 2020, @04:24AM (#962220) Journal

    So don't use encryption.

    HTTPS as deployed offers no option for signing-only cipher suites. Therefore, using HTTPS implies using encryption. As for not using HTTPS in the first place, read on:

    Most sites don't need it anyway.

    The specification of a growing number of web platform APIs specifies that the API's functionality shall be available only through secure contexts [pineight.com]. Attempting to access the API through cleartext HTTP fails, such as by raising a security exception. A site using any of these web platform APIs needs HTTPS.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by driverless on Tuesday February 25 2020, @10:52AM

    by driverless (4770) on Tuesday February 25 2020, @10:52AM (#962305)

    This is exactly what Android does, try and access some web service via HTTP instead of HTTPS and you get "CLEARTEXT communication to a.b.c.d is not permitted by network security policy", because Google knows much better than you do what needs to be secured and what doesn't, in this case an Arduino on an isolated network that controls watering room plants. Obviously that needs TLS, because Google says so.

  • (Score: 3, Insightful) by barbara hudson on Tuesday February 25 2020, @02:02PM (8 children)

    by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Tuesday February 25 2020, @02:02PM (#962353) Journal
    Most users aren't logging into web sites. HTTP is just fine. They're not running web apps on those sites. HTTP is just fine. How many sites want you to register, you hit the back button instead? For most users just reading a web page, HTTP is just fine.
    --
    SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
    • (Score: 2) by Pino P on Tuesday February 25 2020, @02:12PM (3 children)

      by Pino P (4721) on Tuesday February 25 2020, @02:12PM (#962358) Journal

      Most users aren't logging into web sites.

      Most users are logging into at least two of webmail, Facebook, Twitter, some specialized forum, and some online store.

      For most users just reading a web page, HTTP is just fine.

      Are you claiming it's "just fine" for home Internet service providers to intercept connections and insert ads?

      • (Score: 2) by barbara hudson on Wednesday February 26 2020, @02:07AM (2 children)

        by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Wednesday February 26 2020, @02:07AM (#962669) Journal
        Like I give a shit about anyone using Facebook or Twitter. You shouldn't either. They deserve whatever crap they get, because by this time there's no excuse.
        --
        SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
        • (Score: 2) by Pino P on Wednesday February 26 2020, @02:28PM (1 child)

          by Pino P (4721) on Wednesday February 26 2020, @02:28PM (#962843) Journal

          It's still probably the case that most users are logging into at least two of webmail, some specialized forum (such as SoylentNews), some online store selling physical goods (such as eBay or Amazon), and some subscription video streaming service.

          • (Score: 2) by barbara hudson on Wednesday February 26 2020, @10:22PM

            by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Wednesday February 26 2020, @10:22PM (#963169) Journal
            The only one on that list is soylentnews. I won't use webmail, eBay, Amazon, or ANY video streaming service.

            And I'm not overly worried about someone snooping on my posts here, or I wouldn't make them in the first place. Sheech! Not everyone is a mindless sheeple who "needs" (for some ridiculous value of "needs" streaming video, social media, and webmail because otherwise they don't know what to do with themselves. No wonder people don't talk to each other any more - they're out of practice.

            --
            SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
    • (Score: 1, Informative) by Anonymous Coward on Tuesday February 25 2020, @05:50PM (3 children)

      by Anonymous Coward on Tuesday February 25 2020, @05:50PM (#962458)

      HTTP "was" just fine.

      Now HTTP is the reason to have your web page down listed on google searches.
      Now HTTP is the trigger for a warning message in your browser.
      Now HTTP will be flagged as insecure and possibly malicious.

      Stop pretending this is the 90s. When iphone users stop browsing websites that fail to show, HTTP will no longer be "just fine" for anyone.

      • (Score: 2) by barbara hudson on Wednesday February 26 2020, @02:20AM (2 children)

        by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Wednesday February 26 2020, @02:20AM (#962681) Journal

        Some people don't give a shit about site rankings in Google searches. Helps keep out those more clueless folks.

        So what about a warning - it's just an icon that indicates the site doesn't use HTTPS. Studies show most people don't even see it, and those who do don't know what it means, so again, so what?

        Flagged by who? That stupid icon that most people don't even see? If you're just going to a site to read crap, and yu don't need to log in, HTTPS is overkill.

        --
        SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
        • (Score: 2) by FatPhil on Wednesday February 26 2020, @10:40PM (1 child)

          by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Wednesday February 26 2020, @10:40PM (#963190) Homepage
          Parent post, being AC, wouldn't see this were I to reply to him directly, but you being logged in will if I place it here, and I think you might enjoy the rant: http://n-gate.com/software/2017/07/12/0/
          No idea who the person behind that site it, but I like his forthrightness.

          My webserver is an original RasPi, and I sure as heck don't want any unnecessary overheads on it (for me, when I'm developing/debugging), so I'm glad some are still fighting the cult of "https everywhere" (which is gradually removing sites from the subset of the internet visible to my 10-year-old smartphone).
          --
          Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
          • (Score: 2) by barbara hudson on Wednesday February 26 2020, @11:02PM

            by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Wednesday February 26 2020, @11:02PM (#963200) Journal

            From your link:

            I do not give a shit about SEO and I fervently wish for the speedy retirement of everyone who does. SEO shitbags rank with email spammers as the absolute lowest pigshit dirtfuck dregs of humanity. The world would be a better place without any of their noise.

            I get spam all the time asking if they can interest me in having them do SEO for soylentnews.org, or paid content, or whatever. Probably targeting me because I don't use a nym. Maybe I should pretend I actually have anything to do with decisions here and collect all their "amazing offers" and post them for shits and giggles.

            --
            SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.