SoylentNews

Apple Drops a Bomb on Long-Life HTTPS Certificates

posted by janrinok on Monday February 24 2020, @07:05PM   
from the honestly,-it's-for-your-own-good... dept.

upstart writes in with an IRC submission for SoyCow4275_:

Apple drops a bomb on long-life HTTPS certificates: Safari to snub new security certs valid for more than 13 months:

Safari will, later this year, no longer accept new HTTPS certificates that expire more than 13 months from their creation date. That means websites using long-life SSL/TLS certs issued after the cut-off point will throw up privacy errors in Apple's browser.

The policy was unveiled by the iGiant at a Certification Authority Browser Forum (CA/Browser) meeting on Wednesday. Specifically, according to those present at the confab, from September 1, any new website cert valid for more than 398 days will not be trusted by the Safari browser and instead rejected. Older certs, issued prior to the deadline, are unaffected by this rule.

By implementing the policy in Safari, Apple will, by extension, enforce it on all iOS and macOS devices. This will put pressure on website admins and developers to make sure their certs meet Apple's requirements – or risk breaking pages on a billion-plus devices and computers.

[...] Shortening the lifespan of certificates does come with some drawbacks. It has been noted that by increasing the frequency of certificate replacements, Apple and others are also making life a little more complicated for site owners and businesses that have to manage the certificates and compliance.

"Companies need to look to automation to assist with certificate deployment, renewal, and lifecycle management to reduce human overhead and the risk of error as the frequency of certificate replacement increase," Callan told us.

We note Let's Encrypt issues free HTTPS certificates that expire after 90 days, and provides tools to automate renewals, so those will be just fine – and they are used all over the web now. El Reg's cert is a year-long affair so we'll be OK.

GitHub.com uses a two-year certificate, which would fall foul of Apple's rules though it was issued before the cut-off deadline. However, it is due to be renewed by June, so there's plenty of opportunity to sort that out. Apple's website has a year-long HTTPS cert that needs renewing in October.

Microsoft is an interesting one: its dot-com's cert is a two-year affair, which expires in October. If Redmond renews it for another two years, it'll trip up over Safari's policy.

---

Original Submission

• Re:Coffee shop LAN Re:Coffee shop LAN (Score: 2) by Pino P on Tuesday February 25 2020, @09:58PM (3 children)

  by Pino P (4721) on Tuesday February 25 2020, @09:58PM (#962573) Journal

  (PS If you are using DNS, then you need a valid cert -- I'm only excepting direct local IP addresses here.)

  Then why does multicast DNS (mDNS) even exist, given that other protocols have changed to make the names it issues unusable?

  As long as the device responding is really sending traffic from IP address 192.168.1.44 (which can be verified), then don't I properly know I am talking to the device I asked to talk to?

  Nested NATs mean that a device that reports itself as 192.168.1.44 and is in the same room as you might not actually be 192.168.1.44 on your network but instead 192.168.1.44 on a different network.

  Parent

  Starting Score:	1		point
  Karma-Bonus Modifier		+1
  Total Score:		2

• Re:Coffee shop LAN Re:Coffee shop LAN (Score: 2) by vux984 on Tuesday February 25 2020, @10:29PM (2 children)

  by vux984 (5045) on Tuesday February 25 2020, @10:29PM (#962582)

  "Then why does multicast DNS (mDNS) even exist"

  How is that a rebuttal? If you want trust you can't rely on a zero-configuration service that doesn't offer any guarantees.

  "Nested NATs mean that a device that reports itself as 192.168.1.44 and is in the same room as you might not actually be 192.168.1.44 on your network but instead 192.168.1.44 on a different network."

  Nevertheless I am talking to a device at 192.168.1.44 on the LAN, and that's what i asked the browser to do. That its not THE device i think it is, is on me. LAN IP Addresses are not globally unique. If tell the browser to talk to the device on the LAN at 192.168.1.44 as long as its doing _that_ its done its job the best that can be reasonably expected. Putting certificates on things isn't going to fix it. 192.168.1.44 is still not going to go to the device I thought it was going to; it'll just go to the wrong device with a certificate on it. That's the inherent *risk i take* for using a LAN IP address instead of a FQDN.

  Parent

  • Re:Coffee shop LAN Re:Coffee shop LAN (Score: 2) by Pino P on Wednesday February 26 2020, @02:22PM (1 child)

    by Pino P (4721) on Wednesday February 26 2020, @02:22PM (#962839) Journal

    If you want trust you can't rely on a zero-configuration service that doesn't offer any guarantees.

    Over the past few years, web browser publishers have begun "deprecating" (Mozilla's word) protocols that do not provide trust [mozilla.org]. Thus as time goes on, "a zero-configuration service that doesn't offer any guarantees" becomes less and less useful.

    Nevertheless I am talking to a device at 192.168.1.44 on the LAN, and that's what i asked the browser to do. That its not THE device i think it is, is on me.

    Hence why the browser does not trust it.

    That's the inherent *risk i take* for using a LAN IP address instead of a FQDN.

    So what's a good way to mitigate such risks for non-technical users, who happen to outnumber the sort of highly technical users who frequent SoylentNews?

    Parent

    • Re:Coffee shop LAN (Score: 2) by vux984 on Wednesday February 26 2020, @04:16PM

      by vux984 (5045) on Wednesday February 26 2020, @04:16PM (#962927)

      "So what's a good way to mitigate such risks for non-technical users"

      The point remains that connecting to LAN devices by LAN ip addresses its comparatively low pretty low risk scenario *in the first place*.

      Parent