← Back to context

Comment by ocdtrekkie

1 day ago

I feel like this comment ignores the fact that right now all of them are effectively tied to Google, and that supporting DANE if Google doesn't is currently pointless, so obviously no one would until the status quo changes.

Ultimately the problem is that currently "security best practice" as it's commonly discussed, says what we're doing now is a good idea. It's not, and until we change the understanding on that, nobody's going to feel motivated to do better.

Password rotation used to be considered a gold standard strategy for security, until people realized not only did it make everything harder, it also encouraged people to choose less secure passwords and was largely self-defeating.

If I told you we could improve a 90-day password rotation policy by making it change every week, you'd rightly call me crazy, but for some inconceivable reason (monopoly, perverse incentives, appeal to an authority run by idiots, name your choice), people act like decreasing certificate lifetime is somehow going to make the web safer.

12 comments

ocdtrekkie

Reply
tptacek  1 day ago

Decreasing certificate lifetime addresses a totally different problem than password rotation.

  • ocdtrekkie  1 day ago

    Why do you think so? A certificate is essentially a password that proves your identity and rotating it faster is to ensure it stops doing that if someone steals your password.

    • tptacek  1 day ago

      Short certificate lifetimes address the fact that TLS certificate revocation doesn't work. Password rotation --- which is no longer a NIST recommendation! --- addresses the concern that long-term secrets eventually leak. You can intuitively see how different the problem domains are from the fact that certificate lifetimes are far shorter than even the old NIST password rotation rules were, despite the fact that certificates are all stored securely relative to passwords.

      But whether that's intuitive for you or not, the fact remains: short-lifetime automated certificate provisioning is a response to revocation.

      7 replies →

    • akerl_  1 day ago

      > Password rotation used to be considered a gold standard strategy for security, until people realized not only did it make everything harder, it also encouraged people to choose less secure passwords and was largely self-defeating.

      Even if we ignore the fact that certificates are not a secret, and that expiry applies to certificates, not private keys, a major difference is that humans don’t mentally generate or manually type TLS keys or certificates. So the negative impact of rotation on user experience and behavior is entirely absent.

      1 reply →