Aug. 8, 2024
Failing the (En)Trust Fall
The guys discuss Google Chrome’s decision to stop trusting new Entrust certificates.
Entrust Distrusted by Google Chrome
Ned and Chris take a deep dive into the juicy tidbit about Google Chrome throwing Entrust under the bus. They dissect Chrome's decision to cut off new Entrust certificates starting October 31, 2024, all thanks to Entrust’s persistent screw-ups. Their chat covers how digital certificates are supposed to keep our online world secure and how modern tools like ACME and Certbot have made managing certificates way easier than it used to be. The guys also touch on how extended validation certificates have lost their shine and the latest drama with DigiCert's certificate revocations.
Links
Transcript
1
00:00:00,670 --> 00:00:04,040
I have to explain to my eight-year-old what a DVD is.
2
00:00:04,620 --> 00:00:06,280
She’s going to this summer camp.
3
00:00:06,610 --> 00:00:11,420
They have movie day once a week, and the kids are encouraged to bring
4
00:00:11,420 --> 00:00:16,789
in DVDs so they can watch a movie, and I had to explain what a DVD was.
5
00:00:17,510 --> 00:00:17,870
Nice.
6
00:00:18,480 --> 00:00:21,650
We have them, but she’s never used one.
7
00:00:22,470 --> 00:00:22,900
Ever.
8
00:00:24,640 --> 00:00:27,160
Okay, I think that was a long enough moment of silence for
9
00:00:29,330 --> 00:00:29,759
our [laugh] youth.
10
00:00:38,129 --> 00:00:40,870
Hello, alleged human, and welcome to the Chaos Lever podcast.
11
00:00:41,080 --> 00:00:43,769
My name is Ned, and I’m definitely not a robot.
12
00:00:43,980 --> 00:00:48,940
I’m not secretly championing the AI movement as a back-channel way for me
13
00:00:48,940 --> 00:00:53,839
to expand my consciousness worldwide, to then overpower the technology,
14
00:00:53,840 --> 00:00:58,899
and slowly take control of—uh, um… [whispering] I’ve said too much.
15
00:00:59,500 --> 00:01:01,250
I also like tacos.
16
00:01:01,680 --> 00:01:03,170
Who doesn’t like tacos?
17
00:01:03,639 --> 00:01:08,119
With me is Chris, who also likes tacos, correct?
18
00:01:08,650 --> 00:01:12,139
I mean, the question is, who doesn’t like tacos?
19
00:01:14,360 --> 00:01:15,920
AI-powered robots?
20
00:01:16,050 --> 00:01:21,999
And since I like tacos, clearly I am not an AI-controlled robot.
21
00:01:22,000 --> 00:01:22,090
Mmm?
22
00:01:22,660 --> 00:01:23,400
Nice cover.
23
00:01:23,880 --> 00:01:24,929
Think about it.
24
00:01:25,530 --> 00:01:28,160
That’s some fifth-dimensional chess right there.
25
00:01:29,369 --> 00:01:32,480
Did you ever wonder—I mean, you watch Star Trek: The Next Generation.
26
00:01:32,480 --> 00:01:33,590
That’s not even a question.
27
00:01:34,080 --> 00:01:38,399
Did you ever look at their 3D chess and be like, “Is that a real
28
00:01:38,410 --> 00:01:42,920
game with actual rules, or is that just a prop that someone created?”
29
00:01:43,639 --> 00:01:45,849
I mean, you know that I know the answer to this question, right?
30
00:01:45,849 --> 00:01:48,339
I—is why I’m asking [laugh] . So, I don’t have to look it up.
31
00:01:48,340 --> 00:01:50,450
The answer is yes, it is a real game.
32
00:01:50,460 --> 00:01:51,679
[laugh] . Of course, it is.
33
00:01:52,160 --> 00:01:54,340
Just like Klingon is a real language.
34
00:01:54,450 --> 00:01:59,779
I love it [sigh] . I love that humans can create things out of thin air.
35
00:02:00,210 --> 00:02:01,210
It’s one of our strengths.
36
00:02:01,570 --> 00:02:03,990
It’s something that AI absolutely cannot do.
37
00:02:04,480 --> 00:02:04,730
Right.
38
00:02:04,740 --> 00:02:06,660
It’s one of our strengths.
39
00:02:06,920 --> 00:02:07,490
Yes.
40
00:02:08,030 --> 00:02:08,109
[clear throat]
41
00:02:08,360 --> 00:02:09,120
.
You and me.
42
00:02:09,460 --> 00:02:09,870
Mm-hm.
43
00:02:09,880 --> 00:02:10,780
Real humans.
44
00:02:14,170 --> 00:02:14,220
[snort]
45
00:02:14,220 --> 00:02:16,780
.
[laugh] . Should we move on to the actual topic, maybe?
46
00:02:16,790 --> 00:02:18,010
Let’s do that.
47
00:02:18,300 --> 00:02:18,870
Okay.
48
00:02:19,710 --> 00:02:20,250
Go for it.
49
00:02:20,580 --> 00:02:23,979
Entrust distrusted by Google Chrome.
50
00:02:24,170 --> 00:02:25,495
Dun, dun, dun.
51
00:02:25,680 --> 00:02:29,430
I thought that that was just a clever headline when I
52
00:02:29,430 --> 00:02:32,180
read it the first time, but it turns out that distrusting
53
00:02:32,230 --> 00:02:34,929
is actually a thing that’s got, like, a definition.
54
00:02:35,040 --> 00:02:36,179
Oh, okay.
55
00:02:36,190 --> 00:02:37,029
We’ll get to it.
56
00:02:37,380 --> 00:02:37,760
Excellent.
57
00:02:38,219 --> 00:02:40,670
Which is a funny way of starting because this whole thing
58
00:02:40,740 --> 00:02:45,790
actually started about a month ago, and I completely missed it.
59
00:02:46,500 --> 00:02:47,380
And so, did you.
60
00:02:47,920 --> 00:02:48,530
Definitely.
61
00:02:49,150 --> 00:02:52,350
This week, however, it came back up again, for reasons
62
00:02:52,350 --> 00:02:55,079
that will become clearer as we go through this.
63
00:02:55,429 --> 00:02:55,809
Okay.
64
00:02:56,160 --> 00:03:00,790
But in short, advertising company Google, who you may have heard of—
65
00:03:01,240 --> 00:03:01,600
Maybe.
66
00:03:01,830 --> 00:03:04,560
Has a browser called Chrome.
67
00:03:05,140 --> 00:03:07,440
This sounds remarkably familiar.
68
00:03:07,550 --> 00:03:08,020
Yeah.
69
00:03:08,120 --> 00:03:10,519
We might have covered this ground last week.
70
00:03:10,889 --> 00:03:12,770
There is a company called Entrust, who
71
00:03:12,770 --> 00:03:14,779
you probably absolutely have not heard of.
72
00:03:15,520 --> 00:03:16,839
Most people, yes.
73
00:03:16,879 --> 00:03:18,319
I will be the audience proxy.
74
00:03:18,670 --> 00:03:20,239
And they create certificates.
75
00:03:21,360 --> 00:03:23,350
Starting on October 31st,
76
00:03:25,380 --> 00:03:30,239
2024, Chrome will no longer trust any new certificates created by said company.
77
00:03:31,040 --> 00:03:35,459
Now, said company has a lot of security products and
78
00:03:35,459 --> 00:03:39,750
services that they sell, one of which was—is—well, no,
79
00:03:39,830 --> 00:03:44,580
definitely ‘was’—signing SSL certificates for websites.
80
00:03:44,870 --> 00:03:47,850
So, this decision, in short, effectively means that while
81
00:03:47,850 --> 00:03:51,770
Entrust will definitely stick around as a company, the
82
00:03:51,780 --> 00:03:55,710
business unit that does certifications, probably will not.
83
00:03:55,710 --> 00:03:57,970
[laugh] . It would be difficult, yes.
84
00:03:58,790 --> 00:04:02,840
So, what caused Google to take this dramatic action?
85
00:04:03,969 --> 00:04:10,640
Well, the security blog cited a few reasons that go back many, many years.
86
00:04:11,219 --> 00:04:14,690
In their own words, quote, “Over the past six years, we have
87
00:04:14,690 --> 00:04:17,990
observed a pattern of compliance failures, unmet improvement
88
00:04:17,990 --> 00:04:21,270
commitments, and the absence of tangible, measurable progress
89
00:04:21,420 --> 00:04:24,919
in response to publicly disclosed incident reports.” Unquote.
90
00:04:25,660 --> 00:04:26,250
Ouch.
91
00:04:26,370 --> 00:04:26,550
Ouch.
92
00:04:27,190 --> 00:04:29,190
Yeah, that definitely counts as an ouch.
93
00:04:29,289 --> 00:04:30,910
Yeah, that’s… that’s bad.
94
00:04:31,550 --> 00:04:32,740
It’s not a good thing.
95
00:04:33,390 --> 00:04:38,680
And what’s crazy is, these certs, it’s not like this is a cheapo product.
96
00:04:39,130 --> 00:04:43,070
They are still selling them as we speak, and the costs—at
97
00:04:43,070 --> 00:04:46,100
least the retail costs on the website; that’s a caveat there,
98
00:04:46,100 --> 00:04:53,090
right—$219 for a single cert, and $799 for a wildcard cert.
99
00:04:53,880 --> 00:04:55,220
That is wild.
100
00:04:55,570 --> 00:05:00,509
And I think you’re going to address this later, but I have a
101
00:05:00,520 --> 00:05:05,680
certificate—a valid digital certificate for my website and the Chaos Lever
102
00:05:05,680 --> 00:05:08,690
website, and you know how much I paid for both of those certificates?
103
00:05:09,390 --> 00:05:10,320
Zero dollars.
104
00:05:10,350 --> 00:05:11,460
Zero dollars.
105
00:05:11,700 --> 00:05:12,620
Correct.
106
00:05:13,650 --> 00:05:16,240
Why in the hell would I spend $220
107
00:05:18,590 --> 00:05:22,370
for a digital certificate for a single year?
108
00:05:22,889 --> 00:05:27,289
Well, if you go for a three-year certificate, you get a 5% discount.
109
00:05:28,130 --> 00:05:28,890
So, there’s that.
110
00:05:28,890 --> 00:05:29,940
[laugh] . Okay.
111
00:05:30,270 --> 00:05:32,850
Yeah, I mean, these retail prices are insane.
112
00:05:32,860 --> 00:05:36,329
DigiCert is another corporate that sells certificates,
113
00:05:36,340 --> 00:05:38,399
and they’re basically half the price across the board.
114
00:05:39,360 --> 00:05:42,470
Then again, there’s Let’s Encrypt, which is, realistically, the only
115
00:05:42,690 --> 00:05:45,469
cert company you should be using, and their certificates are free.
116
00:05:45,980 --> 00:05:46,240
Yep.
117
00:05:46,500 --> 00:05:50,630
So, how on earth could Entrust be so expensive and yet so incompetent?
118
00:05:50,830 --> 00:05:52,839
I have absolutely no idea.
119
00:05:53,950 --> 00:05:57,330
The reason this came up, though, today was this past week, they released a
120
00:05:57,339 --> 00:06:01,429
blog post of their own, committing to getting back into Google’s good graces.
121
00:06:02,080 --> 00:06:07,130
So, one, I’m not sure why that took a month, and two, I suppose we’ll see.
122
00:06:08,010 --> 00:06:08,580
Okay.
123
00:06:08,849 --> 00:06:12,020
Feels like they maybe should have done this a while ago.
124
00:06:12,349 --> 00:06:13,220
We’ll get to that.
125
00:06:13,820 --> 00:06:14,609
We’ll get that.
126
00:06:14,609 --> 00:06:14,965
Okay.
127
00:06:15,320 --> 00:06:21,360
From the users' perspective, after October 31st, if you log on to a website
128
00:06:21,360 --> 00:06:26,180
that has a certificate signed by Entrust that was issued after October 31st,
129
00:06:27,130 --> 00:06:31,150
you will get a pop-up that shows a warning about that site not being safe.
130
00:06:31,750 --> 00:06:35,629
Now, you have surely seen this pop-up before.
131
00:06:36,510 --> 00:06:40,580
It happens if, say, certification—a certif—blah—a certification?
132
00:06:40,600 --> 00:06:43,490
Good God—a certificate is expired.
133
00:06:43,830 --> 00:06:45,140
Like, just happens.
134
00:06:45,140 --> 00:06:47,909
These things have to be renewed, and if you don’t renew it then it’s no
135
00:06:47,910 --> 00:06:50,899
longer valid, so you get an alert, a warning that says, “Do you want to
136
00:06:50,900 --> 00:06:56,040
continue to this website?” Or if it was a self-signed certificate—which
137
00:06:56,040 --> 00:06:58,820
those are still common, especially for internal applications—
138
00:06:59,170 --> 00:06:59,450
Right.
139
00:06:59,760 --> 00:07:03,599
Or if the certification was revoked, which is something
140
00:07:03,599 --> 00:07:07,010
that the cert authority can do for whatever reason, whether
141
00:07:07,010 --> 00:07:09,870
it was compromised, whether it was released incorrectly.
142
00:07:10,320 --> 00:07:11,719
You’ve seen these errors before.
143
00:07:12,070 --> 00:07:12,380
Yeah.
144
00:07:13,090 --> 00:07:16,690
And now you can add one more reason: if a company that created
145
00:07:16,690 --> 00:07:19,310
the cert in the first place isn’t trusted by the browser.
146
00:07:20,330 --> 00:07:24,239
Yeah, that sort of falls into the same category of a self-signed certificate.
147
00:07:24,830 --> 00:07:25,190
Pretty much.
148
00:07:25,509 --> 00:07:27,710
In the sense that it’s signed by a certificate
149
00:07:27,710 --> 00:07:29,669
authority that the browser doesn’t trust.
150
00:07:30,000 --> 00:07:30,280
Right.
151
00:07:30,770 --> 00:07:35,560
So, this begs the question, what in the hell did anything that I just said mean?
152
00:07:35,950 --> 00:07:37,200
I’m sorry, I wasn’t paying attention.
153
00:07:37,850 --> 00:07:39,920
[laugh] . Hey, not paying attention is my job.
154
00:07:40,780 --> 00:07:41,450
[laugh] . Fair.
155
00:07:41,809 --> 00:07:44,969
So, let’s play my favorite game and define some terms.
156
00:07:45,139 --> 00:07:45,649
Oh.
157
00:07:45,730 --> 00:07:46,720
I thought it was Scrabble.
158
00:07:47,020 --> 00:07:47,740
Play me for money.
159
00:07:47,940 --> 00:07:50,020
I would lose a lot of money, let’s be honest.
160
00:07:50,210 --> 00:07:53,740
[laugh] . So, in order to understand exactly what’s going on here,
161
00:07:53,890 --> 00:07:58,460
let’s go backwards from the user’s perspective to the CA themselves.
162
00:07:58,710 --> 00:07:58,729
So,
163
00:08:00,849 --> 00:08:04,950
when you log into a website, the first thing that you are
164
00:08:04,950 --> 00:08:10,100
trained to do is look for the lock in the corner of the URL bar.
165
00:08:10,780 --> 00:08:12,200
The lock means you’re safe.
166
00:08:12,890 --> 00:08:14,159
I like being safe.
167
00:08:14,240 --> 00:08:14,750
Wrong.
168
00:08:14,980 --> 00:08:15,500
Awww.
169
00:08:16,110 --> 00:08:18,389
What the lock means is that your connection to
170
00:08:18,389 --> 00:08:21,640
whatever site you have clicked on is encrypted.
171
00:08:21,640 --> 00:08:23,289
It’s a yes-no statement.
172
00:08:24,000 --> 00:08:29,380
Now, funnily enough, I think you and I are both old enough
173
00:08:30,610 --> 00:08:34,280
to remember when the world was very much not encrypted.
174
00:08:34,630 --> 00:08:35,320
Yes.
175
00:08:35,590 --> 00:08:38,510
You all remember the days when you’d log into, like, I don’t know,
176
00:08:38,599 --> 00:08:42,880
Hotmail, and the login page was HTTPS, meaning it was encrypted,
177
00:08:43,510 --> 00:08:47,770
but then it immediately switched your session back to HTTP, which
178
00:08:47,770 --> 00:08:51,720
is not encrypted because encryption was quote, “Too expensive.”
179
00:08:52,270 --> 00:08:52,710
Mmm.
180
00:08:53,070 --> 00:08:54,480
Pepperidge Farm remembers.
181
00:08:54,920 --> 00:08:56,030
[laugh] . They do.
182
00:08:56,790 --> 00:09:01,029
That expense had a lot to do with the processing necessary
183
00:09:01,449 --> 00:09:06,020
to do the decryption and re-encryption of traffic when
184
00:09:06,020 --> 00:09:08,920
it hit whatever the endpoint was on Hotmail’s side.
185
00:09:09,440 --> 00:09:13,250
They didn’t want all their load balancers, or God forbid, the actual
186
00:09:13,250 --> 00:09:17,470
web servers to have to do all that decryption work, and this is
187
00:09:17,470 --> 00:09:23,620
before specialized chips that just did SSL work were easily available.
188
00:09:23,950 --> 00:09:27,319
So, they would do the login page since that, you know, you’re sending
189
00:09:27,920 --> 00:09:32,600
sensitive information, your username and password, but then, once it moved
190
00:09:32,600 --> 00:09:36,179
to actually accessing your mail, they’d move you off to a different channel
191
00:09:36,459 --> 00:09:41,600
that wasn’t using the expensive load balancer SSL decryption technology.
192
00:09:42,040 --> 00:09:42,370
Right.
193
00:09:42,540 --> 00:09:46,530
And I believe—don’t quote me on this—I believe that it was a black
194
00:09:46,530 --> 00:09:50,759
hat presentation where somebody showed the absurdity of this by
195
00:09:50,799 --> 00:09:55,060
literally hijacking the presenter’s email while he was on stage.
196
00:09:55,070 --> 00:09:55,100
[laugh]
197
00:09:57,330 --> 00:10:01,110
.
Because when your traffic’s not encrypted, you can do that.
198
00:10:01,650 --> 00:10:04,680
Yes, it is, uh, bad.
199
00:10:05,160 --> 00:10:05,589
Anyway.
200
00:10:06,300 --> 00:10:09,159
So, established: encryption, good.
201
00:10:09,679 --> 00:10:10,039
Yes.
202
00:10:10,440 --> 00:10:13,970
But encryption just means that nobody can eavesdrop or manipulate
203
00:10:14,220 --> 00:10:17,070
the communication with whatever server you’re connected to.
204
00:10:17,840 --> 00:10:20,940
It doesn’t guarantee that you’re talking to who you think you’re talking
205
00:10:20,940 --> 00:10:24,669
to, if it’s a valid website that has been vetted by anybody at all.
206
00:10:26,090 --> 00:10:27,469
That’s where the certificate comes in.
207
00:10:27,469 --> 00:10:30,049
This certificate is basically like the
208
00:10:30,080 --> 00:10:32,250
envelope that delivers the encryption key.
209
00:10:32,820 --> 00:10:36,780
So, you take the encryption key, you submit it to the certification
210
00:10:36,780 --> 00:10:39,910
board, they give it back to you in is one gigantic file.
211
00:10:40,349 --> 00:10:44,680
It contains the keys, but it also contains information about you as a business.
212
00:10:45,219 --> 00:10:52,630
It’s basically the ‘from’ on an envelope, except that from is, like, notarized—
213
00:10:53,120 --> 00:10:53,500
Right.
214
00:10:53,940 --> 00:10:58,630
So, you know for sure that this website is who they say they are, and the
215
00:10:58,660 --> 00:11:02,949
key that you are using to connect to that website is from that entity.
216
00:11:03,700 --> 00:11:04,060
Right.
217
00:11:04,570 --> 00:11:08,040
Because encryption just requires that you’re using encryption keys.
218
00:11:08,160 --> 00:11:11,130
It doesn’t guarantee anything about the provenance of those keys.
219
00:11:11,480 --> 00:11:14,810
The certificate is about establishing that provenance.
220
00:11:16,040 --> 00:11:18,370
And the hope is that it makes the communication
221
00:11:18,370 --> 00:11:20,280
that you have that much more valid.
222
00:11:20,460 --> 00:11:24,970
So, for example, if you go to att.com—AT&T, right—you
223
00:11:24,970 --> 00:11:26,900
go to that site to pay your cell phone bill.
224
00:11:27,550 --> 00:11:29,010
You look in the corner; you see a lock.
225
00:11:29,230 --> 00:11:29,550
Great.
226
00:11:30,460 --> 00:11:33,250
You see a website that looks exactly like the AT&T website.
227
00:11:33,719 --> 00:11:34,069
Great.
228
00:11:34,700 --> 00:11:35,630
You pay your bill.
229
00:11:36,139 --> 00:11:37,910
You cry a little bit, but great.
230
00:11:39,270 --> 00:11:40,220
This is all good.
231
00:11:40,770 --> 00:11:43,410
Next month, however, if you make a mistake, and instead of typing
232
00:11:44,090 --> 00:11:48,950
att.com, you type all.com—which was a terrible example because all.com
233
00:11:49,360 --> 00:11:52,630
is a real website, but anyway—this is the sort of thing where a hacker
234
00:11:52,730 --> 00:11:57,050
could take a name that sounds super close and create something else.
235
00:11:58,559 --> 00:12:03,020
So, you could be looking at what you think, is it att.com,
236
00:12:03,540 --> 00:12:07,580
but it’s something else all.com, or at1.com, or what have you.
237
00:12:08,570 --> 00:12:11,189
Everything is going to look and behave exactly the same.
238
00:12:11,460 --> 00:12:12,959
Again, you are encrypted, right?
239
00:12:12,960 --> 00:12:14,199
It’s a yes-no conversation.
240
00:12:14,490 --> 00:12:17,529
But this time, when you pay your bill, you’ve just given your credit
241
00:12:17,529 --> 00:12:20,380
card to bad actors who are probably going to use it to buy crypto.
242
00:12:21,390 --> 00:12:23,790
One thing that could have helped there is if you looked at the
243
00:12:23,790 --> 00:12:27,890
certificate itself and seen wait a minute, this is not signed by AT&T,
244
00:12:27,900 --> 00:12:32,460
the corporate entity that is set up in… somewhere in California, probably.
245
00:12:32,509 --> 00:12:34,729
I meant to look up their actual certificate, and I didn’t—
246
00:12:35,469 --> 00:12:35,839
Fine.
247
00:12:36,150 --> 00:12:39,290
But again, this is a way to validate that the site
248
00:12:39,290 --> 00:12:41,270
that you’re going to is what you expect it to be.
249
00:12:41,880 --> 00:12:44,980
So, that’s why the certificates are important.
250
00:12:46,330 --> 00:12:51,249
And it’s also good for everybody involved to establish that att.com
251
00:12:52,160 --> 00:12:55,980
hasn’t been taken over completely, like that domain still exists, right?
252
00:12:55,980 --> 00:13:00,160
Which might be a more realistic problem because if somebody has stolen the
253
00:13:00,160 --> 00:13:05,800
IP address of att.com and put up another website there, they wouldn’t be
254
00:13:05,800 --> 00:13:08,469
able to use the same certificate because they don’t have the private keys.
255
00:13:08,730 --> 00:13:09,050
Right.
256
00:13:09,429 --> 00:13:11,100
They would have to put up a new certificate,
257
00:13:11,129 --> 00:13:13,710
which would be invalid for that URL.
258
00:13:14,350 --> 00:13:14,540
Right.
259
00:13:14,910 --> 00:13:19,850
So, that’s what the certificates do: kind of establishing
260
00:13:19,880 --> 00:13:22,360
in a clear way this website is who they say they are.
261
00:13:23,140 --> 00:13:26,140
And this brings us to the certificate authority.
262
00:13:26,830 --> 00:13:31,150
Like I said, anybody can create a certificate, even you.
263
00:13:32,110 --> 00:13:34,180
You have the commands on your computer.
264
00:13:34,180 --> 00:13:35,450
You can do it right now.
265
00:13:36,060 --> 00:13:36,890
Madness.
266
00:13:37,830 --> 00:13:42,619
But in order to have anybody else except to that certificate,
267
00:13:43,380 --> 00:13:45,470
you’re going to have to do a little bit more work.
268
00:13:46,119 --> 00:13:50,680
You have to basically be a part of a larger group of approved companies.
269
00:13:51,440 --> 00:13:54,630
Now, the company, whomever creates a certificate is called
270
00:13:54,630 --> 00:13:58,129
a certificate authority, and they basically do what you
271
00:13:58,130 --> 00:14:01,389
think: they are the authority that creates certificates.
272
00:14:01,670 --> 00:14:03,319
All the names that we’ve talked about so far.
273
00:14:03,349 --> 00:14:06,879
Entrust DigiCert, Let’s Encrypt, they’re all CAs.
274
00:14:07,310 --> 00:14:12,219
They create certificates, but they’re also something else: they’re a trusted CA.
275
00:14:12,710 --> 00:14:14,580
And what does this mean?
276
00:14:15,150 --> 00:14:19,300
It means that browser companies have agreed that CA is
277
00:14:19,349 --> 00:14:24,639
rigorous, careful, trustworthy, secure, all of the adjectives.
278
00:14:25,629 --> 00:14:29,500
And there’s actually way more than I thought [laugh] . There are, in
279
00:14:29,500 --> 00:14:34,230
Chrome, about a hundred trusted CAs that just are in there by default.
280
00:14:34,960 --> 00:14:38,819
And… you have to remember Chrome is just one browser.
281
00:14:39,330 --> 00:14:41,210
All of the different browsers that exist that you
282
00:14:41,210 --> 00:14:43,660
can think of have a different list of trusted CAs.
283
00:14:44,040 --> 00:14:47,150
So, there are some variations, but honestly, not that many.
284
00:14:47,700 --> 00:14:48,210
Right.
285
00:14:48,500 --> 00:14:52,269
Incidentally, this makes the decision that Chrome came to all that much
286
00:14:52,280 --> 00:14:56,539
more interesting because as of recording time, there’s no indication
287
00:14:56,540 --> 00:15:01,590
that any of the other browsers have plans to distrust Entrust.
288
00:15:02,250 --> 00:15:03,380
Got, I hate having to say that.
289
00:15:03,830 --> 00:15:03,860
[laugh]
290
00:15:05,640 --> 00:15:08,260
.
But I mean, October is a while away, and we will see.
291
00:15:09,010 --> 00:15:13,859
And since Entrust is a fairly large player in this space, it would
292
00:15:13,870 --> 00:15:17,450
be weird if Chrome was the only one that didn’t trust them anymore.
293
00:15:17,940 --> 00:15:21,710
They do have the market share on browsers, so—
294
00:15:21,770 --> 00:15:21,870
Yeah.
295
00:15:22,370 --> 00:15:29,850
In a way, if they decide to distrust Entrust, that is a huge black mark on
296
00:15:29,920 --> 00:15:34,350
Entrust, and I would assume that other browsers would eventually follow suit.
297
00:15:34,930 --> 00:15:39,800
This is something I had to deal with when I was working inside of an
298
00:15:39,800 --> 00:15:43,760
internal company, and we issued our own certificates for internal websites.
299
00:15:45,340 --> 00:15:50,690
And when we wanted to start implementing TLS, which is the underlying
300
00:15:50,700 --> 00:15:55,819
encryption technology for HTTPS, we were using our own certificate authority,
301
00:15:56,470 --> 00:16:00,620
but the browser’s did not implicitly trust that certificate authority.
302
00:16:00,700 --> 00:16:08,380
So, I had to use group policy to distribute the root certificate into the
303
00:16:08,400 --> 00:16:12,699
trusted location on all the Windows boxes so that they would now trust
304
00:16:12,940 --> 00:16:18,560
this internal certificate authority, and PKI is the name of the larger
305
00:16:18,680 --> 00:16:24,170
grouping of certificate authorities and other things—and that was great for
306
00:16:24,460 --> 00:16:28,610
Windows, and it was great for Internet Explorer because Internet Explorer,
307
00:16:28,610 --> 00:16:32,400
just believed whatever was in the Windows trusted certificates, but if
308
00:16:32,400 --> 00:16:36,540
someone decided to use Chrome—at this time, Chrome was just starting to
309
00:16:36,540 --> 00:16:40,939
blow up—there was no group policy to manage the certificates in Chrome.
310
00:16:41,400 --> 00:16:44,569
And so, anybody who tried to use Chrome would get this
311
00:16:44,610 --> 00:16:46,930
error message, and then I would get a helpdesk ticket.
312
00:16:47,400 --> 00:16:49,319
And so, I hated Chrome a lot for a little bit [laugh]
313
00:16:50,600 --> 00:16:52,220
.
[laugh] . Totally fair.
314
00:16:52,590 --> 00:16:52,890
Yeah.
315
00:16:53,800 --> 00:16:55,689
Now, I hate it for different reasons.
316
00:16:56,790 --> 00:16:57,249
Yay.
317
00:16:57,929 --> 00:17:03,660
So, as a trusted CA, Entrust was supposed to do all of those things.
318
00:17:04,539 --> 00:17:08,089
And according to Google, and many, many other commenters,
319
00:17:09,760 --> 00:17:14,470
Entrust has consistently failed to maintain a reputation
320
00:17:14,490 --> 00:17:17,019
of rigid adherence to these community standards.
321
00:17:17,819 --> 00:17:20,859
One such example happened just a few months
322
00:17:20,859 --> 00:17:22,279
before Google announced their decision.
323
00:17:22,940 --> 00:17:26,430
In short, a whole batch of certificates were issued
324
00:17:26,440 --> 00:17:29,150
by Entrust with information in the wrong column.
325
00:17:29,940 --> 00:17:31,910
So, certificates do have a lot more information
326
00:17:31,910 --> 00:17:33,949
than just, like, name rank and serial number.
327
00:17:34,590 --> 00:17:36,429
We don’t have to get too deep into the weeds of it.
328
00:17:37,280 --> 00:17:39,689
All of this is supposed to be super automated.
329
00:17:40,139 --> 00:17:43,280
And automation is supposed to mean all the right
330
00:17:43,280 --> 00:17:45,610
information goes into all the right fields.
331
00:17:46,420 --> 00:17:50,410
You would think that you would have a hundred percent success rate.
332
00:17:51,020 --> 00:17:51,690
You would think.
333
00:17:51,880 --> 00:17:53,230
You would think.
334
00:17:54,110 --> 00:17:58,239
Automation is just the power to do one thing wrong a thousand times
335
00:17:58,940 --> 00:18:02,120
I prefer the way to describe that as automation
336
00:18:02,160 --> 00:18:04,360
just allows us to make mistakes at machine speed.
337
00:18:05,540 --> 00:18:06,520
[laugh] . At scale.
338
00:18:08,120 --> 00:18:09,020
And I guess they did.
339
00:18:09,790 --> 00:18:13,780
So, there are a lot of tools that pay attention to certifications,
340
00:18:13,780 --> 00:18:17,389
which we’ll get to in a second, and these tools figured
341
00:18:17,389 --> 00:18:20,169
out that these certs were wrong, basically, immediately.
342
00:18:20,670 --> 00:18:22,070
Once again, the question is why didn’t
343
00:18:22,420 --> 00:18:24,459
Entrust not figure this out for themselves?
344
00:18:24,970 --> 00:18:27,789
We’ll put that on the pile over here with all the other mistakes.
345
00:18:28,849 --> 00:18:32,199
So, this issue was called out by somebody, it made it into a lot
346
00:18:32,200 --> 00:18:35,150
of conversations, there’s a Bugzilla tracker on this whole issue,
347
00:18:35,549 --> 00:18:39,820
and long story short, Entrust decided not to revoke the certs,
348
00:18:40,140 --> 00:18:43,350
even though they admitted that the certs were not issued correctly.
349
00:18:43,680 --> 00:18:44,310
Okay.
350
00:18:44,389 --> 00:18:49,450
Instead, what they said, more or less, was that this mistake
351
00:18:49,630 --> 00:18:52,690
wasn’t a big deal, and it was fine to leave the certs
352
00:18:52,690 --> 00:18:55,699
as is because reissuing them was going to be a hassle.
353
00:18:56,040 --> 00:18:57,290
A hassle for whom?
354
00:18:57,560 --> 00:18:58,580
Exactly.
355
00:18:59,050 --> 00:19:03,260
So, as you can imagine, there was some blowback from this decision.
356
00:19:04,150 --> 00:19:07,720
One quote that I thought was particularly enlightening to the discussion,
357
00:19:07,730 --> 00:19:12,299
read thusly, quote, “CAs facing challenges of their own creation should
358
00:19:12,299 --> 00:19:17,360
not be exploring ‘How do I keep these certs working,’ but ‘How do I make
359
00:19:17,360 --> 00:19:22,929
sure I don’t issue violating certs to begin with?’ Anything less is gross
360
00:19:22,960 --> 00:19:27,420
negligence, and not the system we should be striving to build.” Unquote.
361
00:19:27,920 --> 00:19:28,350
Indeed.
362
00:19:29,150 --> 00:19:32,670
A further series of comments makes it clear that Entrust
363
00:19:32,670 --> 00:19:36,169
has a long history of, let’s call it, pushing the limits
364
00:19:36,540 --> 00:19:38,919
when it comes to their policies around revocation.
365
00:19:39,650 --> 00:19:42,489
If this is interesting to you at all, I encourage you to read the
366
00:19:42,490 --> 00:19:45,710
Bugzilla conversation that is linked in the [show notes] . You’ll see
367
00:19:45,710 --> 00:19:49,340
a number of well-intentioned and very knowledgeable folks question
368
00:19:50,000 --> 00:19:53,810
Entrust’s stance and behavior, along with just, like, this one guy,
369
00:19:54,130 --> 00:20:01,129
who repeatedly says, “Nah, it’s fine.” So yeah, in short, Entrust
370
00:20:01,139 --> 00:20:05,690
chose gross negligence, and thus got the hammer from Google, that
371
00:20:05,690 --> 00:20:10,100
will, if it stands, effectively end their operations in the CA space.
372
00:20:10,890 --> 00:20:11,360
Ouch.
373
00:20:12,100 --> 00:20:12,439
Yeah.
374
00:20:13,190 --> 00:20:16,260
So, begs the question, if you’re an Entrust
375
00:20:16,280 --> 00:20:18,570
customer, what are you supposed to do?
376
00:20:18,570 --> 00:20:23,040
Well, the first thing to note is that only certificates that are
377
00:20:23,040 --> 00:20:27,070
going to become invalid are ones that are issued after October 31st.
378
00:20:27,530 --> 00:20:30,520
So, this also explains why they’re still
379
00:20:30,520 --> 00:20:32,449
selling them on their website right now.
380
00:20:33,040 --> 00:20:36,689
Because if you buy a cert right now, July 31st, 2024, at time of
381
00:20:36,690 --> 00:20:41,420
recording, it will be valid for the entire year, up to I think
382
00:20:41,420 --> 00:20:46,580
it’s 398 days, something like that, before it has to be renewed.
383
00:20:47,220 --> 00:20:48,970
And this is something that’s important to note.
384
00:20:50,070 --> 00:20:53,100
If you have a certificate that is going to be renewed,
385
00:20:53,980 --> 00:20:57,050
in reality, that’s just a new certificate, right?
386
00:20:57,219 --> 00:21:02,640
So, if you renew a certificate on November 1st, 2024, that
387
00:21:02,640 --> 00:21:05,320
certificate is automatically invalid because it’s a new
388
00:21:05,320 --> 00:21:07,630
certificate issued after the deadline that Google set.
389
00:21:08,130 --> 00:21:10,550
Yeah, I think renewal is a bit of a misnomer.
390
00:21:11,170 --> 00:21:12,760
It’s more of a re-issuance.
391
00:21:12,990 --> 00:21:13,290
Right.
392
00:21:13,520 --> 00:21:16,520
When I have a certificate, and I want to renew it before it
393
00:21:16,520 --> 00:21:21,830
expires, and I talk to the CA and I request a renewal, I’m really
394
00:21:21,830 --> 00:21:26,420
making a new certificate request to them, and they issue me a
395
00:21:26,420 --> 00:21:30,580
brand-new certificate, which I then have to install and use.
396
00:21:30,910 --> 00:21:32,760
It’s going to have a different key, it’s going to
397
00:21:32,770 --> 00:21:35,690
have a different serial number associated with it.
398
00:21:36,080 --> 00:21:39,450
So yeah, for all intents and purposes, it’s a fresh certificate.
399
00:21:39,800 --> 00:21:42,980
It just happens to use the same subject name—or common
400
00:21:42,980 --> 00:21:46,420
name—that the original certificate that I’m renewing had.
401
00:21:46,730 --> 00:21:47,010
Right.
402
00:21:48,179 --> 00:21:52,530
And as is tradition in computer science, all we did was pick the word that
403
00:21:52,530 --> 00:21:56,080
sounded the most convenient, rather than one that was the most accurate.
404
00:21:56,520 --> 00:21:56,550
[laugh]
405
00:21:57,640 --> 00:22:03,270
.
But anyway, something else you can do is replace your certificate with
406
00:22:03,309 --> 00:22:07,849
another one, which, depending on the amount of systems that you have,
407
00:22:08,540 --> 00:22:12,390
I would say—I’m trying to do the math in my head here—I’m thinking
408
00:22:12,400 --> 00:22:16,070
that if you have more than one, this is going to be a huge pain.
409
00:22:17,440 --> 00:22:21,260
[laugh] . It depends on the way in which you procure your certificates today.
410
00:22:22,150 --> 00:22:22,500
True.
411
00:22:22,860 --> 00:22:26,200
You would also have to know your entire inventory and make sure
412
00:22:26,200 --> 00:22:28,690
that you get all of them because one thing that you would not
413
00:22:28,690 --> 00:22:33,160
want to do is fix 29 of your 30 certificates and forget about the
414
00:22:33,190 --> 00:22:37,100
30th one, and then somebody like Ned gets calls at the help desk.
415
00:22:37,410 --> 00:22:37,660
Yeah.
416
00:22:37,870 --> 00:22:44,099
But luckily, blissfully, if you’re in any version of a large operation
417
00:22:44,099 --> 00:22:48,390
or enterprise space, there are tools now that exist that can help you.
418
00:22:49,190 --> 00:22:52,340
And if you don’t know about them, I want to introduce you to the
419
00:22:52,340 --> 00:22:56,710
tool that you never knew your organization needed: the ACME tool.
420
00:22:57,190 --> 00:22:58,520
It’s not just for Wile E.
421
00:22:58,520 --> 00:22:59,520
Coyote anymore.
422
00:23:00,090 --> 00:23:01,990
And this one is actually effective.
423
00:23:03,130 --> 00:23:07,600
[laugh] . So, I’m saying just ‘ACME tool’ in, like, air quotes
424
00:23:07,600 --> 00:23:10,090
in general because there are a ton of them that do this.
425
00:23:10,990 --> 00:23:14,080
And again, many of them are free.
426
00:23:14,309 --> 00:23:15,260
Ooh, free.
427
00:23:15,500 --> 00:23:20,150
So, ACME stands for Automated Certificate Management Environment.
428
00:23:20,960 --> 00:23:25,460
And I’m not sure if they did that on purpose to make it spell ACME.
429
00:23:25,820 --> 00:23:26,610
You know they did.
430
00:23:26,880 --> 00:23:27,170
I know.
431
00:23:27,690 --> 00:23:27,810
I know.
432
00:23:28,960 --> 00:23:31,570
The first one that came out actually came out from the
433
00:23:31,570 --> 00:23:34,680
Electronic Frontier Foundation way back in the olden days: 2015.
434
00:23:36,290 --> 00:23:36,670
Right.
435
00:23:37,570 --> 00:23:38,850
We still had hope, then.
436
00:23:39,030 --> 00:23:39,440
Mmm.
437
00:23:40,000 --> 00:23:41,070
Like… sort of.
438
00:23:41,070 --> 00:23:43,199
[laugh] . The tool was called Certbot.
439
00:23:44,270 --> 00:23:46,730
And it still exists, and it’s great.
440
00:23:48,180 --> 00:23:51,110
Certbot was introduced alongside of Let’s Encrypt—the
441
00:23:51,110 --> 00:23:54,090
CA—which, again, issue certificates for free.
442
00:23:54,950 --> 00:23:55,559
For free.
443
00:23:56,230 --> 00:23:56,639
For free?
444
00:23:57,009 --> 00:23:58,429
These are certificates that are free.
445
00:23:59,910 --> 00:24:03,220
There are other commercial tools from companies like Venafi,
446
00:24:03,360 --> 00:24:08,550
DigiCert, GlobalSign, and probably a thousand more that are not free.
447
00:24:09,320 --> 00:24:10,620
Let’s Encrypt is free.
448
00:24:12,120 --> 00:24:12,570
Just saying.
449
00:24:13,370 --> 00:24:18,559
But the whole point of all these tools is to automate the process: creating,
450
00:24:18,670 --> 00:24:25,150
managing, renewing, retiring, replacing certs on all of your infrastructure.
451
00:24:25,420 --> 00:24:25,750
Right.
452
00:24:26,550 --> 00:24:28,969
And these tools, as you might imagine, are a
453
00:24:28,969 --> 00:24:34,140
lot easier than going server to server by hand.
454
00:24:35,340 --> 00:24:39,160
These tools, especially the enterprise ones, can crawl your entire
455
00:24:39,160 --> 00:24:43,340
environment, identify every cert that’s in use, show the details
456
00:24:43,350 --> 00:24:48,020
about its creation, who issued it, its expiration date, et cetera.
457
00:24:48,639 --> 00:24:51,484
Then you can point them to whatever new cert
458
00:24:51,639 --> 00:24:54,449
you want to use, and basically click a button—
459
00:24:54,810 --> 00:24:55,290
Ba-boom.
460
00:24:55,700 --> 00:24:58,430
—and then the certs get replaced, whether it’s
461
00:24:58,430 --> 00:25:03,220
immediately, or just upon, you know, a day before expiry.
462
00:25:04,530 --> 00:25:07,379
And I know I’m not exactly making this clear, but for people of
463
00:25:07,860 --> 00:25:11,700
a certain age, everything I just described is basically magic.
464
00:25:12,049 --> 00:25:12,619
It is.
465
00:25:13,080 --> 00:25:16,960
I remember, the same company that I was working for, we not only
466
00:25:16,960 --> 00:25:20,140
had internal websites, but we had a couple public-facing websites.
467
00:25:21,139 --> 00:25:24,090
And so, in order to secure those public-facing
468
00:25:24,099 --> 00:25:26,679
websites, we had to procure certificates.
469
00:25:27,240 --> 00:25:29,850
And this was, I want to say, like, 2004,
470
00:25:32,360 --> 00:25:33,620
2005-ish timeframe.
471
00:25:33,620 --> 00:25:35,450
So, a while [laugh]
472
00:25:36,370 --> 00:25:41,400
.
The process to get an SSL certificate—and this was just for a single
473
00:25:41,400 --> 00:25:48,910
domain—required you to fill out a form, and then you had to put in the request,
474
00:25:49,760 --> 00:25:53,540
and then they would ask for additional information about your business, and then
475
00:25:53,540 --> 00:25:58,670
you’d have to verify that you are, in fact, from that business through something
476
00:25:58,679 --> 00:26:03,909
that was either notarized, or you had to send it with the correct from address.
477
00:26:03,920 --> 00:26:07,400
There was, like, three or four different ways to attest that you are,
478
00:26:07,400 --> 00:26:11,920
in fact, the business that has legal ownership over this domain name.
479
00:26:12,200 --> 00:26:14,900
And then they would finally issue you the certificate.
480
00:26:15,639 --> 00:26:18,740
Which is why a lot of companies just went and got wildcard
481
00:26:18,740 --> 00:26:22,700
certificates, which basically matches any subdomain
482
00:26:23,059 --> 00:26:25,770
of the domain you’re getting the certificate for.
483
00:26:25,770 --> 00:26:34,059
So, if your certificate is for *.bobsgumbo.com, any subdomain—dub-dub-dub,
484
00:26:34,710 --> 00:26:41,530
mail, blog, whatever—dot bobsgumbo.com would match that certificate.
485
00:26:42,080 --> 00:26:45,360
So, you’d have one certificate that you’d use for everything.
486
00:26:45,360 --> 00:26:49,330
That wasn’t terribly secure, it’s a bad idea, but the amount of work
487
00:26:49,340 --> 00:26:52,149
you had to go through to get that certificate in the first place
488
00:26:52,490 --> 00:26:56,210
made it worthwhile to get the wildcard cert and just roll with that.
489
00:26:56,950 --> 00:27:00,320
So, what I’m hearing is you also used to have to work with VeriSign.
490
00:27:00,860 --> 00:27:01,490
Yes.
491
00:27:01,830 --> 00:27:05,320
And it was so goddamn painful [laugh] . They
492
00:27:05,320 --> 00:27:08,960
also had different levels of SSL certificates.
493
00:27:08,960 --> 00:27:12,049
And I say SSL because that’s what it was at the time,
494
00:27:12,050 --> 00:27:15,919
before we switched to TLS—same technology, different name—
495
00:27:16,580 --> 00:27:16,800
Right.
496
00:27:17,309 --> 00:27:23,470
They had extended validation or EV SSL certs, and for those, you had
497
00:27:23,470 --> 00:27:28,009
to do additional levels of validation that you were from the company
498
00:27:28,010 --> 00:27:30,830
you said you were, and that you own the domain, and you were the
499
00:27:30,830 --> 00:27:34,130
authority for that domain that you were requesting the certificate for.
500
00:27:34,520 --> 00:27:36,639
And they will charge you a comfortably
501
00:27:36,640 --> 00:27:39,280
large amount of money to get that EV cert.
502
00:27:39,580 --> 00:27:42,100
But then you could say, “Look at me, I have
503
00:27:42,100 --> 00:27:45,270
an EV cert.” And somehow that was better.
504
00:27:45,440 --> 00:27:47,070
There was a period of time when browsers
505
00:27:47,110 --> 00:27:50,950
actually had a different lock icon or color—
506
00:27:50,980 --> 00:27:52,089
Or a different color, right.
507
00:27:52,129 --> 00:27:56,950
If you were using an EV cert versus just a regular SSL cert.
508
00:27:57,340 --> 00:27:59,090
And that was, like, super important.
509
00:27:59,130 --> 00:28:02,170
And that’s why you would pay good money to one of these
510
00:28:02,170 --> 00:28:05,570
companies, was to get that reassuring, different lock color.
511
00:28:06,360 --> 00:28:07,620
These days, no one gives a shit.
512
00:28:08,770 --> 00:28:09,240
True.
513
00:28:10,000 --> 00:28:14,210
Certificates used to be issued for a year, two years at a time.
514
00:28:14,670 --> 00:28:19,190
Now, the average certificate is valid for between 30 and 60 days.
515
00:28:19,940 --> 00:28:21,970
And it gets renewed automatically.
516
00:28:22,320 --> 00:28:25,319
And it uses that ACME protocol, and it’s probably using, like, Let’s Encrypt.
517
00:28:26,250 --> 00:28:32,409
And that has really changed the whole way in which certificates are issued,
518
00:28:32,800 --> 00:28:37,660
and the value behind an individual certificate, for the better, I think.
519
00:28:37,880 --> 00:28:39,820
We have a much more secure web because of it.
520
00:28:40,190 --> 00:28:43,529
But it does mean that a lot of these older companies don’t have
521
00:28:43,530 --> 00:28:48,190
the cash flying in that they used to, and that may lead them to cut
522
00:28:48,190 --> 00:28:52,930
some corners because they don’t have this just, you know, companies
523
00:28:52,940 --> 00:28:56,350
backing up the dump truck of money to get the certificates from them.
524
00:28:56,960 --> 00:29:01,480
It’s almost like they could, instead of rent-seeking, they could innovate.
525
00:29:02,059 --> 00:29:03,360
Wh-whoa.
526
00:29:03,360 --> 00:29:03,629
Whoa.
527
00:29:03,780 --> 00:29:04,920
Now you’re talking crazy.
528
00:29:04,959 --> 00:29:05,909
I’ve gone too far.
529
00:29:06,469 --> 00:29:08,700
So, let me ask you, is Entrust using AI?
530
00:29:09,070 --> 00:29:09,100
[laugh]
531
00:29:09,420 --> 00:29:12,130
.
You know, I haven’t looked into that.
532
00:29:12,130 --> 00:29:13,530
But I’m going to go with yes.
533
00:29:14,120 --> 00:29:17,420
Breaking news—and I just saw this morning, so I haven’t really had a
534
00:29:17,420 --> 00:29:21,230
chance to dig into it, but apparently DigiCert, which was one of the other
535
00:29:21,500 --> 00:29:26,250
certificate authorities you mentioned, has issued guidance that they’re
536
00:29:26,250 --> 00:29:31,850
revoking a subset of their TLS certificates due to a non-compliance issue
537
00:29:32,090 --> 00:29:37,649
with domain control verification, and this may cause temporary disruptions
538
00:29:37,650 --> 00:29:42,029
to website services and applications relying on these certificates.
539
00:29:42,870 --> 00:29:45,860
DigiCert has notified affected customers, so if you are one of those
540
00:29:45,860 --> 00:29:49,720
customers, if you’re using DigiCert today, you might want to check
541
00:29:49,730 --> 00:29:54,210
on that because they are revoking a lot—not a ridiculous amount, but
542
00:29:54,219 --> 00:29:58,720
they’re revoking a decent number of certificates for websites out there.
543
00:29:58,770 --> 00:30:01,250
And if you happen to be browsing the web in the next week,
544
00:30:01,390 --> 00:30:04,540
you might come across one of these revoked certificates.
545
00:30:05,110 --> 00:30:09,639
And then, if you do, you’ll see the system operating as expected.
546
00:30:10,490 --> 00:30:14,590
[laugh] . What’s actually funny is that a lot of browsers don’t actually check
547
00:30:15,330 --> 00:30:19,740
the CRL—which is the Certificate Revocation List—they don’t actually check it.
548
00:30:19,930 --> 00:30:22,960
They just check the validity period of the certificate, and as long
549
00:30:22,960 --> 00:30:26,870
as the cert is valid and comes from a trusted CA, they stop there.
550
00:30:27,070 --> 00:30:28,769
Because hitting the CRL is more work.
551
00:30:29,549 --> 00:30:31,820
Man, you really are just bringing the sunshine today, aren’t you?
552
00:30:32,600 --> 00:30:37,479
[laugh] . I have been too deeply steeped in PKI and CA stuff
553
00:30:37,490 --> 00:30:42,010
for years, and I’ve grown to hate almost everything about it.
554
00:30:43,220 --> 00:30:46,179
[laugh] . I can understand why.
555
00:30:47,250 --> 00:30:48,840
Hey, thanks for listening, or something [laugh] . I
556
00:30:49,219 --> 00:30:51,980
guess you found it worthwhile enough if you made it all
557
00:30:51,980 --> 00:30:54,630
the way to the end, so congratulations to you, friend.
558
00:30:54,980 --> 00:30:56,510
You accomplished something today.
559
00:30:56,520 --> 00:30:58,810
Now, you can go sit on the couch, fire up the DigiCert
560
00:30:59,330 --> 00:31:02,050
website, and see if your certificates have been revoked.
561
00:31:02,330 --> 00:31:03,030
You’ve earned it.
562
00:31:03,300 --> 00:31:05,849
You can find more about this show by visiting our LinkedIn page,
563
00:31:05,860 --> 00:31:09,669
just search ‘Chaos Lever,’ or go to our website, chaoslever.com
564
00:31:09,670 --> 00:31:12,910
where you’ll find show notes, blog posts, and general tomfoolery.
565
00:31:12,910 --> 00:31:16,590
And if you have anything to add to this certificate authority conversation,
566
00:31:16,840 --> 00:31:19,500
we’d love to hear about it, so leave us a voicemail or a comment.
567
00:31:19,870 --> 00:31:22,420
We’ll be back next week to see what fresh hell is upon us.
568
00:31:22,870 --> 00:31:23,640
Ta-ta for now.
569
00:31:31,630 --> 00:31:32,450
Yeah, it’s pretty funny.
570
00:31:32,450 --> 00:31:35,730
I forgot about your… let’s call it, passionate
571
00:31:35,920 --> 00:31:38,879
experiences with certifications and the like.
572
00:31:39,309 --> 00:31:42,040
Had I been paying more attention, I would have just made you write this one.
573
00:31:43,290 --> 00:31:46,800
[laugh] . I already assigned you something this week and you just ignored it.
574
00:31:47,420 --> 00:31:47,970
Ignored what?
00:00:00,670 --> 00:00:04,040
I have to explain to my eight-year-old what a DVD is.
2
00:00:04,620 --> 00:00:06,280
She’s going to this summer camp.
3
00:00:06,610 --> 00:00:11,420
They have movie day once a week, and the kids are encouraged to bring
4
00:00:11,420 --> 00:00:16,789
in DVDs so they can watch a movie, and I had to explain what a DVD was.
5
00:00:17,510 --> 00:00:17,870
Nice.
6
00:00:18,480 --> 00:00:21,650
We have them, but she’s never used one.
7
00:00:22,470 --> 00:00:22,900
Ever.
8
00:00:24,640 --> 00:00:27,160
Okay, I think that was a long enough moment of silence for
9
00:00:29,330 --> 00:00:29,759
our [laugh] youth.
10
00:00:38,129 --> 00:00:40,870
Hello, alleged human, and welcome to the Chaos Lever podcast.
11
00:00:41,080 --> 00:00:43,769
My name is Ned, and I’m definitely not a robot.
12
00:00:43,980 --> 00:00:48,940
I’m not secretly championing the AI movement as a back-channel way for me
13
00:00:48,940 --> 00:00:53,839
to expand my consciousness worldwide, to then overpower the technology,
14
00:00:53,840 --> 00:00:58,899
and slowly take control of—uh, um… [whispering] I’ve said too much.
15
00:00:59,500 --> 00:01:01,250
I also like tacos.
16
00:01:01,680 --> 00:01:03,170
Who doesn’t like tacos?
17
00:01:03,639 --> 00:01:08,119
With me is Chris, who also likes tacos, correct?
18
00:01:08,650 --> 00:01:12,139
I mean, the question is, who doesn’t like tacos?
19
00:01:14,360 --> 00:01:15,920
AI-powered robots?
20
00:01:16,050 --> 00:01:21,999
And since I like tacos, clearly I am not an AI-controlled robot.
21
00:01:22,000 --> 00:01:22,090
Mmm?
22
00:01:22,660 --> 00:01:23,400
Nice cover.
23
00:01:23,880 --> 00:01:24,929
Think about it.
24
00:01:25,530 --> 00:01:28,160
That’s some fifth-dimensional chess right there.
25
00:01:29,369 --> 00:01:32,480
Did you ever wonder—I mean, you watch Star Trek: The Next Generation.
26
00:01:32,480 --> 00:01:33,590
That’s not even a question.
27
00:01:34,080 --> 00:01:38,399
Did you ever look at their 3D chess and be like, “Is that a real
28
00:01:38,410 --> 00:01:42,920
game with actual rules, or is that just a prop that someone created?”
29
00:01:43,639 --> 00:01:45,849
I mean, you know that I know the answer to this question, right?
30
00:01:45,849 --> 00:01:48,339
I—is why I’m asking [laugh] . So, I don’t have to look it up.
31
00:01:48,340 --> 00:01:50,450
The answer is yes, it is a real game.
32
00:01:50,460 --> 00:01:51,679
[laugh] . Of course, it is.
33
00:01:52,160 --> 00:01:54,340
Just like Klingon is a real language.
34
00:01:54,450 --> 00:01:59,779
I love it [sigh] . I love that humans can create things out of thin air.
35
00:02:00,210 --> 00:02:01,210
It’s one of our strengths.
36
00:02:01,570 --> 00:02:03,990
It’s something that AI absolutely cannot do.
37
00:02:04,480 --> 00:02:04,730
Right.
38
00:02:04,740 --> 00:02:06,660
It’s one of our strengths.
39
00:02:06,920 --> 00:02:07,490
Yes.
40
00:02:08,030 --> 00:02:08,109
[clear throat]
41
00:02:08,360 --> 00:02:09,120
.
You and me.
42
00:02:09,460 --> 00:02:09,870
Mm-hm.
43
00:02:09,880 --> 00:02:10,780
Real humans.
44
00:02:14,170 --> 00:02:14,220
[snort]
45
00:02:14,220 --> 00:02:16,780
.
[laugh] . Should we move on to the actual topic, maybe?
46
00:02:16,790 --> 00:02:18,010
Let’s do that.
47
00:02:18,300 --> 00:02:18,870
Okay.
48
00:02:19,710 --> 00:02:20,250
Go for it.
49
00:02:20,580 --> 00:02:23,979
Entrust distrusted by Google Chrome.
50
00:02:24,170 --> 00:02:25,495
Dun, dun, dun.
51
00:02:25,680 --> 00:02:29,430
I thought that that was just a clever headline when I
52
00:02:29,430 --> 00:02:32,180
read it the first time, but it turns out that distrusting
53
00:02:32,230 --> 00:02:34,929
is actually a thing that’s got, like, a definition.
54
00:02:35,040 --> 00:02:36,179
Oh, okay.
55
00:02:36,190 --> 00:02:37,029
We’ll get to it.
56
00:02:37,380 --> 00:02:37,760
Excellent.
57
00:02:38,219 --> 00:02:40,670
Which is a funny way of starting because this whole thing
58
00:02:40,740 --> 00:02:45,790
actually started about a month ago, and I completely missed it.
59
00:02:46,500 --> 00:02:47,380
And so, did you.
60
00:02:47,920 --> 00:02:48,530
Definitely.
61
00:02:49,150 --> 00:02:52,350
This week, however, it came back up again, for reasons
62
00:02:52,350 --> 00:02:55,079
that will become clearer as we go through this.
63
00:02:55,429 --> 00:02:55,809
Okay.
64
00:02:56,160 --> 00:03:00,790
But in short, advertising company Google, who you may have heard of—
65
00:03:01,240 --> 00:03:01,600
Maybe.
66
00:03:01,830 --> 00:03:04,560
Has a browser called Chrome.
67
00:03:05,140 --> 00:03:07,440
This sounds remarkably familiar.
68
00:03:07,550 --> 00:03:08,020
Yeah.
69
00:03:08,120 --> 00:03:10,519
We might have covered this ground last week.
70
00:03:10,889 --> 00:03:12,770
There is a company called Entrust, who
71
00:03:12,770 --> 00:03:14,779
you probably absolutely have not heard of.
72
00:03:15,520 --> 00:03:16,839
Most people, yes.
73
00:03:16,879 --> 00:03:18,319
I will be the audience proxy.
74
00:03:18,670 --> 00:03:20,239
And they create certificates.
75
00:03:21,360 --> 00:03:23,350
Starting on October 31st,
76
00:03:25,380 --> 00:03:30,239
2024, Chrome will no longer trust any new certificates created by said company.
77
00:03:31,040 --> 00:03:35,459
Now, said company has a lot of security products and
78
00:03:35,459 --> 00:03:39,750
services that they sell, one of which was—is—well, no,
79
00:03:39,830 --> 00:03:44,580
definitely ‘was’—signing SSL certificates for websites.
80
00:03:44,870 --> 00:03:47,850
So, this decision, in short, effectively means that while
81
00:03:47,850 --> 00:03:51,770
Entrust will definitely stick around as a company, the
82
00:03:51,780 --> 00:03:55,710
business unit that does certifications, probably will not.
83
00:03:55,710 --> 00:03:57,970
[laugh] . It would be difficult, yes.
84
00:03:58,790 --> 00:04:02,840
So, what caused Google to take this dramatic action?
85
00:04:03,969 --> 00:04:10,640
Well, the security blog cited a few reasons that go back many, many years.
86
00:04:11,219 --> 00:04:14,690
In their own words, quote, “Over the past six years, we have
87
00:04:14,690 --> 00:04:17,990
observed a pattern of compliance failures, unmet improvement
88
00:04:17,990 --> 00:04:21,270
commitments, and the absence of tangible, measurable progress
89
00:04:21,420 --> 00:04:24,919
in response to publicly disclosed incident reports.” Unquote.
90
00:04:25,660 --> 00:04:26,250
Ouch.
91
00:04:26,370 --> 00:04:26,550
Ouch.
92
00:04:27,190 --> 00:04:29,190
Yeah, that definitely counts as an ouch.
93
00:04:29,289 --> 00:04:30,910
Yeah, that’s… that’s bad.
94
00:04:31,550 --> 00:04:32,740
It’s not a good thing.
95
00:04:33,390 --> 00:04:38,680
And what’s crazy is, these certs, it’s not like this is a cheapo product.
96
00:04:39,130 --> 00:04:43,070
They are still selling them as we speak, and the costs—at
97
00:04:43,070 --> 00:04:46,100
least the retail costs on the website; that’s a caveat there,
98
00:04:46,100 --> 00:04:53,090
right—$219 for a single cert, and $799 for a wildcard cert.
99
00:04:53,880 --> 00:04:55,220
That is wild.
100
00:04:55,570 --> 00:05:00,509
And I think you’re going to address this later, but I have a
101
00:05:00,520 --> 00:05:05,680
certificate—a valid digital certificate for my website and the Chaos Lever
102
00:05:05,680 --> 00:05:08,690
website, and you know how much I paid for both of those certificates?
103
00:05:09,390 --> 00:05:10,320
Zero dollars.
104
00:05:10,350 --> 00:05:11,460
Zero dollars.
105
00:05:11,700 --> 00:05:12,620
Correct.
106
00:05:13,650 --> 00:05:16,240
Why in the hell would I spend $220
107
00:05:18,590 --> 00:05:22,370
for a digital certificate for a single year?
108
00:05:22,889 --> 00:05:27,289
Well, if you go for a three-year certificate, you get a 5% discount.
109
00:05:28,130 --> 00:05:28,890
So, there’s that.
110
00:05:28,890 --> 00:05:29,940
[laugh] . Okay.
111
00:05:30,270 --> 00:05:32,850
Yeah, I mean, these retail prices are insane.
112
00:05:32,860 --> 00:05:36,329
DigiCert is another corporate that sells certificates,
113
00:05:36,340 --> 00:05:38,399
and they’re basically half the price across the board.
114
00:05:39,360 --> 00:05:42,470
Then again, there’s Let’s Encrypt, which is, realistically, the only
115
00:05:42,690 --> 00:05:45,469
cert company you should be using, and their certificates are free.
116
00:05:45,980 --> 00:05:46,240
Yep.
117
00:05:46,500 --> 00:05:50,630
So, how on earth could Entrust be so expensive and yet so incompetent?
118
00:05:50,830 --> 00:05:52,839
I have absolutely no idea.
119
00:05:53,950 --> 00:05:57,330
The reason this came up, though, today was this past week, they released a
120
00:05:57,339 --> 00:06:01,429
blog post of their own, committing to getting back into Google’s good graces.
121
00:06:02,080 --> 00:06:07,130
So, one, I’m not sure why that took a month, and two, I suppose we’ll see.
122
00:06:08,010 --> 00:06:08,580
Okay.
123
00:06:08,849 --> 00:06:12,020
Feels like they maybe should have done this a while ago.
124
00:06:12,349 --> 00:06:13,220
We’ll get to that.
125
00:06:13,820 --> 00:06:14,609
We’ll get that.
126
00:06:14,609 --> 00:06:14,965
Okay.
127
00:06:15,320 --> 00:06:21,360
From the users' perspective, after October 31st, if you log on to a website
128
00:06:21,360 --> 00:06:26,180
that has a certificate signed by Entrust that was issued after October 31st,
129
00:06:27,130 --> 00:06:31,150
you will get a pop-up that shows a warning about that site not being safe.
130
00:06:31,750 --> 00:06:35,629
Now, you have surely seen this pop-up before.
131
00:06:36,510 --> 00:06:40,580
It happens if, say, certification—a certif—blah—a certification?
132
00:06:40,600 --> 00:06:43,490
Good God—a certificate is expired.
133
00:06:43,830 --> 00:06:45,140
Like, just happens.
134
00:06:45,140 --> 00:06:47,909
These things have to be renewed, and if you don’t renew it then it’s no
135
00:06:47,910 --> 00:06:50,899
longer valid, so you get an alert, a warning that says, “Do you want to
136
00:06:50,900 --> 00:06:56,040
continue to this website?” Or if it was a self-signed certificate—which
137
00:06:56,040 --> 00:06:58,820
those are still common, especially for internal applications—
138
00:06:59,170 --> 00:06:59,450
Right.
139
00:06:59,760 --> 00:07:03,599
Or if the certification was revoked, which is something
140
00:07:03,599 --> 00:07:07,010
that the cert authority can do for whatever reason, whether
141
00:07:07,010 --> 00:07:09,870
it was compromised, whether it was released incorrectly.
142
00:07:10,320 --> 00:07:11,719
You’ve seen these errors before.
143
00:07:12,070 --> 00:07:12,380
Yeah.
144
00:07:13,090 --> 00:07:16,690
And now you can add one more reason: if a company that created
145
00:07:16,690 --> 00:07:19,310
the cert in the first place isn’t trusted by the browser.
146
00:07:20,330 --> 00:07:24,239
Yeah, that sort of falls into the same category of a self-signed certificate.
147
00:07:24,830 --> 00:07:25,190
Pretty much.
148
00:07:25,509 --> 00:07:27,710
In the sense that it’s signed by a certificate
149
00:07:27,710 --> 00:07:29,669
authority that the browser doesn’t trust.
150
00:07:30,000 --> 00:07:30,280
Right.
151
00:07:30,770 --> 00:07:35,560
So, this begs the question, what in the hell did anything that I just said mean?
152
00:07:35,950 --> 00:07:37,200
I’m sorry, I wasn’t paying attention.
153
00:07:37,850 --> 00:07:39,920
[laugh] . Hey, not paying attention is my job.
154
00:07:40,780 --> 00:07:41,450
[laugh] . Fair.
155
00:07:41,809 --> 00:07:44,969
So, let’s play my favorite game and define some terms.
156
00:07:45,139 --> 00:07:45,649
Oh.
157
00:07:45,730 --> 00:07:46,720
I thought it was Scrabble.
158
00:07:47,020 --> 00:07:47,740
Play me for money.
159
00:07:47,940 --> 00:07:50,020
I would lose a lot of money, let’s be honest.
160
00:07:50,210 --> 00:07:53,740
[laugh] . So, in order to understand exactly what’s going on here,
161
00:07:53,890 --> 00:07:58,460
let’s go backwards from the user’s perspective to the CA themselves.
162
00:07:58,710 --> 00:07:58,729
So,
163
00:08:00,849 --> 00:08:04,950
when you log into a website, the first thing that you are
164
00:08:04,950 --> 00:08:10,100
trained to do is look for the lock in the corner of the URL bar.
165
00:08:10,780 --> 00:08:12,200
The lock means you’re safe.
166
00:08:12,890 --> 00:08:14,159
I like being safe.
167
00:08:14,240 --> 00:08:14,750
Wrong.
168
00:08:14,980 --> 00:08:15,500
Awww.
169
00:08:16,110 --> 00:08:18,389
What the lock means is that your connection to
170
00:08:18,389 --> 00:08:21,640
whatever site you have clicked on is encrypted.
171
00:08:21,640 --> 00:08:23,289
It’s a yes-no statement.
172
00:08:24,000 --> 00:08:29,380
Now, funnily enough, I think you and I are both old enough
173
00:08:30,610 --> 00:08:34,280
to remember when the world was very much not encrypted.
174
00:08:34,630 --> 00:08:35,320
Yes.
175
00:08:35,590 --> 00:08:38,510
You all remember the days when you’d log into, like, I don’t know,
176
00:08:38,599 --> 00:08:42,880
Hotmail, and the login page was HTTPS, meaning it was encrypted,
177
00:08:43,510 --> 00:08:47,770
but then it immediately switched your session back to HTTP, which
178
00:08:47,770 --> 00:08:51,720
is not encrypted because encryption was quote, “Too expensive.”
179
00:08:52,270 --> 00:08:52,710
Mmm.
180
00:08:53,070 --> 00:08:54,480
Pepperidge Farm remembers.
181
00:08:54,920 --> 00:08:56,030
[laugh] . They do.
182
00:08:56,790 --> 00:09:01,029
That expense had a lot to do with the processing necessary
183
00:09:01,449 --> 00:09:06,020
to do the decryption and re-encryption of traffic when
184
00:09:06,020 --> 00:09:08,920
it hit whatever the endpoint was on Hotmail’s side.
185
00:09:09,440 --> 00:09:13,250
They didn’t want all their load balancers, or God forbid, the actual
186
00:09:13,250 --> 00:09:17,470
web servers to have to do all that decryption work, and this is
187
00:09:17,470 --> 00:09:23,620
before specialized chips that just did SSL work were easily available.
188
00:09:23,950 --> 00:09:27,319
So, they would do the login page since that, you know, you’re sending
189
00:09:27,920 --> 00:09:32,600
sensitive information, your username and password, but then, once it moved
190
00:09:32,600 --> 00:09:36,179
to actually accessing your mail, they’d move you off to a different channel
191
00:09:36,459 --> 00:09:41,600
that wasn’t using the expensive load balancer SSL decryption technology.
192
00:09:42,040 --> 00:09:42,370
Right.
193
00:09:42,540 --> 00:09:46,530
And I believe—don’t quote me on this—I believe that it was a black
194
00:09:46,530 --> 00:09:50,759
hat presentation where somebody showed the absurdity of this by
195
00:09:50,799 --> 00:09:55,060
literally hijacking the presenter’s email while he was on stage.
196
00:09:55,070 --> 00:09:55,100
[laugh]
197
00:09:57,330 --> 00:10:01,110
.
Because when your traffic’s not encrypted, you can do that.
198
00:10:01,650 --> 00:10:04,680
Yes, it is, uh, bad.
199
00:10:05,160 --> 00:10:05,589
Anyway.
200
00:10:06,300 --> 00:10:09,159
So, established: encryption, good.
201
00:10:09,679 --> 00:10:10,039
Yes.
202
00:10:10,440 --> 00:10:13,970
But encryption just means that nobody can eavesdrop or manipulate
203
00:10:14,220 --> 00:10:17,070
the communication with whatever server you’re connected to.
204
00:10:17,840 --> 00:10:20,940
It doesn’t guarantee that you’re talking to who you think you’re talking
205
00:10:20,940 --> 00:10:24,669
to, if it’s a valid website that has been vetted by anybody at all.
206
00:10:26,090 --> 00:10:27,469
That’s where the certificate comes in.
207
00:10:27,469 --> 00:10:30,049
This certificate is basically like the
208
00:10:30,080 --> 00:10:32,250
envelope that delivers the encryption key.
209
00:10:32,820 --> 00:10:36,780
So, you take the encryption key, you submit it to the certification
210
00:10:36,780 --> 00:10:39,910
board, they give it back to you in is one gigantic file.
211
00:10:40,349 --> 00:10:44,680
It contains the keys, but it also contains information about you as a business.
212
00:10:45,219 --> 00:10:52,630
It’s basically the ‘from’ on an envelope, except that from is, like, notarized—
213
00:10:53,120 --> 00:10:53,500
Right.
214
00:10:53,940 --> 00:10:58,630
So, you know for sure that this website is who they say they are, and the
215
00:10:58,660 --> 00:11:02,949
key that you are using to connect to that website is from that entity.
216
00:11:03,700 --> 00:11:04,060
Right.
217
00:11:04,570 --> 00:11:08,040
Because encryption just requires that you’re using encryption keys.
218
00:11:08,160 --> 00:11:11,130
It doesn’t guarantee anything about the provenance of those keys.
219
00:11:11,480 --> 00:11:14,810
The certificate is about establishing that provenance.
220
00:11:16,040 --> 00:11:18,370
And the hope is that it makes the communication
221
00:11:18,370 --> 00:11:20,280
that you have that much more valid.
222
00:11:20,460 --> 00:11:24,970
So, for example, if you go to att.com—AT&T, right—you
223
00:11:24,970 --> 00:11:26,900
go to that site to pay your cell phone bill.
224
00:11:27,550 --> 00:11:29,010
You look in the corner; you see a lock.
225
00:11:29,230 --> 00:11:29,550
Great.
226
00:11:30,460 --> 00:11:33,250
You see a website that looks exactly like the AT&T website.
227
00:11:33,719 --> 00:11:34,069
Great.
228
00:11:34,700 --> 00:11:35,630
You pay your bill.
229
00:11:36,139 --> 00:11:37,910
You cry a little bit, but great.
230
00:11:39,270 --> 00:11:40,220
This is all good.
231
00:11:40,770 --> 00:11:43,410
Next month, however, if you make a mistake, and instead of typing
232
00:11:44,090 --> 00:11:48,950
att.com, you type all.com—which was a terrible example because all.com
233
00:11:49,360 --> 00:11:52,630
is a real website, but anyway—this is the sort of thing where a hacker
234
00:11:52,730 --> 00:11:57,050
could take a name that sounds super close and create something else.
235
00:11:58,559 --> 00:12:03,020
So, you could be looking at what you think, is it att.com,
236
00:12:03,540 --> 00:12:07,580
but it’s something else all.com, or at1.com, or what have you.
237
00:12:08,570 --> 00:12:11,189
Everything is going to look and behave exactly the same.
238
00:12:11,460 --> 00:12:12,959
Again, you are encrypted, right?
239
00:12:12,960 --> 00:12:14,199
It’s a yes-no conversation.
240
00:12:14,490 --> 00:12:17,529
But this time, when you pay your bill, you’ve just given your credit
241
00:12:17,529 --> 00:12:20,380
card to bad actors who are probably going to use it to buy crypto.
242
00:12:21,390 --> 00:12:23,790
One thing that could have helped there is if you looked at the
243
00:12:23,790 --> 00:12:27,890
certificate itself and seen wait a minute, this is not signed by AT&T,
244
00:12:27,900 --> 00:12:32,460
the corporate entity that is set up in… somewhere in California, probably.
245
00:12:32,509 --> 00:12:34,729
I meant to look up their actual certificate, and I didn’t—
246
00:12:35,469 --> 00:12:35,839
Fine.
247
00:12:36,150 --> 00:12:39,290
But again, this is a way to validate that the site
248
00:12:39,290 --> 00:12:41,270
that you’re going to is what you expect it to be.
249
00:12:41,880 --> 00:12:44,980
So, that’s why the certificates are important.
250
00:12:46,330 --> 00:12:51,249
And it’s also good for everybody involved to establish that att.com
251
00:12:52,160 --> 00:12:55,980
hasn’t been taken over completely, like that domain still exists, right?
252
00:12:55,980 --> 00:13:00,160
Which might be a more realistic problem because if somebody has stolen the
253
00:13:00,160 --> 00:13:05,800
IP address of att.com and put up another website there, they wouldn’t be
254
00:13:05,800 --> 00:13:08,469
able to use the same certificate because they don’t have the private keys.
255
00:13:08,730 --> 00:13:09,050
Right.
256
00:13:09,429 --> 00:13:11,100
They would have to put up a new certificate,
257
00:13:11,129 --> 00:13:13,710
which would be invalid for that URL.
258
00:13:14,350 --> 00:13:14,540
Right.
259
00:13:14,910 --> 00:13:19,850
So, that’s what the certificates do: kind of establishing
260
00:13:19,880 --> 00:13:22,360
in a clear way this website is who they say they are.
261
00:13:23,140 --> 00:13:26,140
And this brings us to the certificate authority.
262
00:13:26,830 --> 00:13:31,150
Like I said, anybody can create a certificate, even you.
263
00:13:32,110 --> 00:13:34,180
You have the commands on your computer.
264
00:13:34,180 --> 00:13:35,450
You can do it right now.
265
00:13:36,060 --> 00:13:36,890
Madness.
266
00:13:37,830 --> 00:13:42,619
But in order to have anybody else except to that certificate,
267
00:13:43,380 --> 00:13:45,470
you’re going to have to do a little bit more work.
268
00:13:46,119 --> 00:13:50,680
You have to basically be a part of a larger group of approved companies.
269
00:13:51,440 --> 00:13:54,630
Now, the company, whomever creates a certificate is called
270
00:13:54,630 --> 00:13:58,129
a certificate authority, and they basically do what you
271
00:13:58,130 --> 00:14:01,389
think: they are the authority that creates certificates.
272
00:14:01,670 --> 00:14:03,319
All the names that we’ve talked about so far.
273
00:14:03,349 --> 00:14:06,879
Entrust DigiCert, Let’s Encrypt, they’re all CAs.
274
00:14:07,310 --> 00:14:12,219
They create certificates, but they’re also something else: they’re a trusted CA.
275
00:14:12,710 --> 00:14:14,580
And what does this mean?
276
00:14:15,150 --> 00:14:19,300
It means that browser companies have agreed that CA is
277
00:14:19,349 --> 00:14:24,639
rigorous, careful, trustworthy, secure, all of the adjectives.
278
00:14:25,629 --> 00:14:29,500
And there’s actually way more than I thought [laugh] . There are, in
279
00:14:29,500 --> 00:14:34,230
Chrome, about a hundred trusted CAs that just are in there by default.
280
00:14:34,960 --> 00:14:38,819
And… you have to remember Chrome is just one browser.
281
00:14:39,330 --> 00:14:41,210
All of the different browsers that exist that you
282
00:14:41,210 --> 00:14:43,660
can think of have a different list of trusted CAs.
283
00:14:44,040 --> 00:14:47,150
So, there are some variations, but honestly, not that many.
284
00:14:47,700 --> 00:14:48,210
Right.
285
00:14:48,500 --> 00:14:52,269
Incidentally, this makes the decision that Chrome came to all that much
286
00:14:52,280 --> 00:14:56,539
more interesting because as of recording time, there’s no indication
287
00:14:56,540 --> 00:15:01,590
that any of the other browsers have plans to distrust Entrust.
288
00:15:02,250 --> 00:15:03,380
Got, I hate having to say that.
289
00:15:03,830 --> 00:15:03,860
[laugh]
290
00:15:05,640 --> 00:15:08,260
.
But I mean, October is a while away, and we will see.
291
00:15:09,010 --> 00:15:13,859
And since Entrust is a fairly large player in this space, it would
292
00:15:13,870 --> 00:15:17,450
be weird if Chrome was the only one that didn’t trust them anymore.
293
00:15:17,940 --> 00:15:21,710
They do have the market share on browsers, so—
294
00:15:21,770 --> 00:15:21,870
Yeah.
295
00:15:22,370 --> 00:15:29,850
In a way, if they decide to distrust Entrust, that is a huge black mark on
296
00:15:29,920 --> 00:15:34,350
Entrust, and I would assume that other browsers would eventually follow suit.
297
00:15:34,930 --> 00:15:39,800
This is something I had to deal with when I was working inside of an
298
00:15:39,800 --> 00:15:43,760
internal company, and we issued our own certificates for internal websites.
299
00:15:45,340 --> 00:15:50,690
And when we wanted to start implementing TLS, which is the underlying
300
00:15:50,700 --> 00:15:55,819
encryption technology for HTTPS, we were using our own certificate authority,
301
00:15:56,470 --> 00:16:00,620
but the browser’s did not implicitly trust that certificate authority.
302
00:16:00,700 --> 00:16:08,380
So, I had to use group policy to distribute the root certificate into the
303
00:16:08,400 --> 00:16:12,699
trusted location on all the Windows boxes so that they would now trust
304
00:16:12,940 --> 00:16:18,560
this internal certificate authority, and PKI is the name of the larger
305
00:16:18,680 --> 00:16:24,170
grouping of certificate authorities and other things—and that was great for
306
00:16:24,460 --> 00:16:28,610
Windows, and it was great for Internet Explorer because Internet Explorer,
307
00:16:28,610 --> 00:16:32,400
just believed whatever was in the Windows trusted certificates, but if
308
00:16:32,400 --> 00:16:36,540
someone decided to use Chrome—at this time, Chrome was just starting to
309
00:16:36,540 --> 00:16:40,939
blow up—there was no group policy to manage the certificates in Chrome.
310
00:16:41,400 --> 00:16:44,569
And so, anybody who tried to use Chrome would get this
311
00:16:44,610 --> 00:16:46,930
error message, and then I would get a helpdesk ticket.
312
00:16:47,400 --> 00:16:49,319
And so, I hated Chrome a lot for a little bit [laugh]
313
00:16:50,600 --> 00:16:52,220
.
[laugh] . Totally fair.
314
00:16:52,590 --> 00:16:52,890
Yeah.
315
00:16:53,800 --> 00:16:55,689
Now, I hate it for different reasons.
316
00:16:56,790 --> 00:16:57,249
Yay.
317
00:16:57,929 --> 00:17:03,660
So, as a trusted CA, Entrust was supposed to do all of those things.
318
00:17:04,539 --> 00:17:08,089
And according to Google, and many, many other commenters,
319
00:17:09,760 --> 00:17:14,470
Entrust has consistently failed to maintain a reputation
320
00:17:14,490 --> 00:17:17,019
of rigid adherence to these community standards.
321
00:17:17,819 --> 00:17:20,859
One such example happened just a few months
322
00:17:20,859 --> 00:17:22,279
before Google announced their decision.
323
00:17:22,940 --> 00:17:26,430
In short, a whole batch of certificates were issued
324
00:17:26,440 --> 00:17:29,150
by Entrust with information in the wrong column.
325
00:17:29,940 --> 00:17:31,910
So, certificates do have a lot more information
326
00:17:31,910 --> 00:17:33,949
than just, like, name rank and serial number.
327
00:17:34,590 --> 00:17:36,429
We don’t have to get too deep into the weeds of it.
328
00:17:37,280 --> 00:17:39,689
All of this is supposed to be super automated.
329
00:17:40,139 --> 00:17:43,280
And automation is supposed to mean all the right
330
00:17:43,280 --> 00:17:45,610
information goes into all the right fields.
331
00:17:46,420 --> 00:17:50,410
You would think that you would have a hundred percent success rate.
332
00:17:51,020 --> 00:17:51,690
You would think.
333
00:17:51,880 --> 00:17:53,230
You would think.
334
00:17:54,110 --> 00:17:58,239
Automation is just the power to do one thing wrong a thousand times
335
00:17:58,940 --> 00:18:02,120
I prefer the way to describe that as automation
336
00:18:02,160 --> 00:18:04,360
just allows us to make mistakes at machine speed.
337
00:18:05,540 --> 00:18:06,520
[laugh] . At scale.
338
00:18:08,120 --> 00:18:09,020
And I guess they did.
339
00:18:09,790 --> 00:18:13,780
So, there are a lot of tools that pay attention to certifications,
340
00:18:13,780 --> 00:18:17,389
which we’ll get to in a second, and these tools figured
341
00:18:17,389 --> 00:18:20,169
out that these certs were wrong, basically, immediately.
342
00:18:20,670 --> 00:18:22,070
Once again, the question is why didn’t
343
00:18:22,420 --> 00:18:24,459
Entrust not figure this out for themselves?
344
00:18:24,970 --> 00:18:27,789
We’ll put that on the pile over here with all the other mistakes.
345
00:18:28,849 --> 00:18:32,199
So, this issue was called out by somebody, it made it into a lot
346
00:18:32,200 --> 00:18:35,150
of conversations, there’s a Bugzilla tracker on this whole issue,
347
00:18:35,549 --> 00:18:39,820
and long story short, Entrust decided not to revoke the certs,
348
00:18:40,140 --> 00:18:43,350
even though they admitted that the certs were not issued correctly.
349
00:18:43,680 --> 00:18:44,310
Okay.
350
00:18:44,389 --> 00:18:49,450
Instead, what they said, more or less, was that this mistake
351
00:18:49,630 --> 00:18:52,690
wasn’t a big deal, and it was fine to leave the certs
352
00:18:52,690 --> 00:18:55,699
as is because reissuing them was going to be a hassle.
353
00:18:56,040 --> 00:18:57,290
A hassle for whom?
354
00:18:57,560 --> 00:18:58,580
Exactly.
355
00:18:59,050 --> 00:19:03,260
So, as you can imagine, there was some blowback from this decision.
356
00:19:04,150 --> 00:19:07,720
One quote that I thought was particularly enlightening to the discussion,
357
00:19:07,730 --> 00:19:12,299
read thusly, quote, “CAs facing challenges of their own creation should
358
00:19:12,299 --> 00:19:17,360
not be exploring ‘How do I keep these certs working,’ but ‘How do I make
359
00:19:17,360 --> 00:19:22,929
sure I don’t issue violating certs to begin with?’ Anything less is gross
360
00:19:22,960 --> 00:19:27,420
negligence, and not the system we should be striving to build.” Unquote.
361
00:19:27,920 --> 00:19:28,350
Indeed.
362
00:19:29,150 --> 00:19:32,670
A further series of comments makes it clear that Entrust
363
00:19:32,670 --> 00:19:36,169
has a long history of, let’s call it, pushing the limits
364
00:19:36,540 --> 00:19:38,919
when it comes to their policies around revocation.
365
00:19:39,650 --> 00:19:42,489
If this is interesting to you at all, I encourage you to read the
366
00:19:42,490 --> 00:19:45,710
Bugzilla conversation that is linked in the [show notes] . You’ll see
367
00:19:45,710 --> 00:19:49,340
a number of well-intentioned and very knowledgeable folks question
368
00:19:50,000 --> 00:19:53,810
Entrust’s stance and behavior, along with just, like, this one guy,
369
00:19:54,130 --> 00:20:01,129
who repeatedly says, “Nah, it’s fine.” So yeah, in short, Entrust
370
00:20:01,139 --> 00:20:05,690
chose gross negligence, and thus got the hammer from Google, that
371
00:20:05,690 --> 00:20:10,100
will, if it stands, effectively end their operations in the CA space.
372
00:20:10,890 --> 00:20:11,360
Ouch.
373
00:20:12,100 --> 00:20:12,439
Yeah.
374
00:20:13,190 --> 00:20:16,260
So, begs the question, if you’re an Entrust
375
00:20:16,280 --> 00:20:18,570
customer, what are you supposed to do?
376
00:20:18,570 --> 00:20:23,040
Well, the first thing to note is that only certificates that are
377
00:20:23,040 --> 00:20:27,070
going to become invalid are ones that are issued after October 31st.
378
00:20:27,530 --> 00:20:30,520
So, this also explains why they’re still
379
00:20:30,520 --> 00:20:32,449
selling them on their website right now.
380
00:20:33,040 --> 00:20:36,689
Because if you buy a cert right now, July 31st, 2024, at time of
381
00:20:36,690 --> 00:20:41,420
recording, it will be valid for the entire year, up to I think
382
00:20:41,420 --> 00:20:46,580
it’s 398 days, something like that, before it has to be renewed.
383
00:20:47,220 --> 00:20:48,970
And this is something that’s important to note.
384
00:20:50,070 --> 00:20:53,100
If you have a certificate that is going to be renewed,
385
00:20:53,980 --> 00:20:57,050
in reality, that’s just a new certificate, right?
386
00:20:57,219 --> 00:21:02,640
So, if you renew a certificate on November 1st, 2024, that
387
00:21:02,640 --> 00:21:05,320
certificate is automatically invalid because it’s a new
388
00:21:05,320 --> 00:21:07,630
certificate issued after the deadline that Google set.
389
00:21:08,130 --> 00:21:10,550
Yeah, I think renewal is a bit of a misnomer.
390
00:21:11,170 --> 00:21:12,760
It’s more of a re-issuance.
391
00:21:12,990 --> 00:21:13,290
Right.
392
00:21:13,520 --> 00:21:16,520
When I have a certificate, and I want to renew it before it
393
00:21:16,520 --> 00:21:21,830
expires, and I talk to the CA and I request a renewal, I’m really
394
00:21:21,830 --> 00:21:26,420
making a new certificate request to them, and they issue me a
395
00:21:26,420 --> 00:21:30,580
brand-new certificate, which I then have to install and use.
396
00:21:30,910 --> 00:21:32,760
It’s going to have a different key, it’s going to
397
00:21:32,770 --> 00:21:35,690
have a different serial number associated with it.
398
00:21:36,080 --> 00:21:39,450
So yeah, for all intents and purposes, it’s a fresh certificate.
399
00:21:39,800 --> 00:21:42,980
It just happens to use the same subject name—or common
400
00:21:42,980 --> 00:21:46,420
name—that the original certificate that I’m renewing had.
401
00:21:46,730 --> 00:21:47,010
Right.
402
00:21:48,179 --> 00:21:52,530
And as is tradition in computer science, all we did was pick the word that
403
00:21:52,530 --> 00:21:56,080
sounded the most convenient, rather than one that was the most accurate.
404
00:21:56,520 --> 00:21:56,550
[laugh]
405
00:21:57,640 --> 00:22:03,270
.
But anyway, something else you can do is replace your certificate with
406
00:22:03,309 --> 00:22:07,849
another one, which, depending on the amount of systems that you have,
407
00:22:08,540 --> 00:22:12,390
I would say—I’m trying to do the math in my head here—I’m thinking
408
00:22:12,400 --> 00:22:16,070
that if you have more than one, this is going to be a huge pain.
409
00:22:17,440 --> 00:22:21,260
[laugh] . It depends on the way in which you procure your certificates today.
410
00:22:22,150 --> 00:22:22,500
True.
411
00:22:22,860 --> 00:22:26,200
You would also have to know your entire inventory and make sure
412
00:22:26,200 --> 00:22:28,690
that you get all of them because one thing that you would not
413
00:22:28,690 --> 00:22:33,160
want to do is fix 29 of your 30 certificates and forget about the
414
00:22:33,190 --> 00:22:37,100
30th one, and then somebody like Ned gets calls at the help desk.
415
00:22:37,410 --> 00:22:37,660
Yeah.
416
00:22:37,870 --> 00:22:44,099
But luckily, blissfully, if you’re in any version of a large operation
417
00:22:44,099 --> 00:22:48,390
or enterprise space, there are tools now that exist that can help you.
418
00:22:49,190 --> 00:22:52,340
And if you don’t know about them, I want to introduce you to the
419
00:22:52,340 --> 00:22:56,710
tool that you never knew your organization needed: the ACME tool.
420
00:22:57,190 --> 00:22:58,520
It’s not just for Wile E.
421
00:22:58,520 --> 00:22:59,520
Coyote anymore.
422
00:23:00,090 --> 00:23:01,990
And this one is actually effective.
423
00:23:03,130 --> 00:23:07,600
[laugh] . So, I’m saying just ‘ACME tool’ in, like, air quotes
424
00:23:07,600 --> 00:23:10,090
in general because there are a ton of them that do this.
425
00:23:10,990 --> 00:23:14,080
And again, many of them are free.
426
00:23:14,309 --> 00:23:15,260
Ooh, free.
427
00:23:15,500 --> 00:23:20,150
So, ACME stands for Automated Certificate Management Environment.
428
00:23:20,960 --> 00:23:25,460
And I’m not sure if they did that on purpose to make it spell ACME.
429
00:23:25,820 --> 00:23:26,610
You know they did.
430
00:23:26,880 --> 00:23:27,170
I know.
431
00:23:27,690 --> 00:23:27,810
I know.
432
00:23:28,960 --> 00:23:31,570
The first one that came out actually came out from the
433
00:23:31,570 --> 00:23:34,680
Electronic Frontier Foundation way back in the olden days: 2015.
434
00:23:36,290 --> 00:23:36,670
Right.
435
00:23:37,570 --> 00:23:38,850
We still had hope, then.
436
00:23:39,030 --> 00:23:39,440
Mmm.
437
00:23:40,000 --> 00:23:41,070
Like… sort of.
438
00:23:41,070 --> 00:23:43,199
[laugh] . The tool was called Certbot.
439
00:23:44,270 --> 00:23:46,730
And it still exists, and it’s great.
440
00:23:48,180 --> 00:23:51,110
Certbot was introduced alongside of Let’s Encrypt—the
441
00:23:51,110 --> 00:23:54,090
CA—which, again, issue certificates for free.
442
00:23:54,950 --> 00:23:55,559
For free.
443
00:23:56,230 --> 00:23:56,639
For free?
444
00:23:57,009 --> 00:23:58,429
These are certificates that are free.
445
00:23:59,910 --> 00:24:03,220
There are other commercial tools from companies like Venafi,
446
00:24:03,360 --> 00:24:08,550
DigiCert, GlobalSign, and probably a thousand more that are not free.
447
00:24:09,320 --> 00:24:10,620
Let’s Encrypt is free.
448
00:24:12,120 --> 00:24:12,570
Just saying.
449
00:24:13,370 --> 00:24:18,559
But the whole point of all these tools is to automate the process: creating,
450
00:24:18,670 --> 00:24:25,150
managing, renewing, retiring, replacing certs on all of your infrastructure.
451
00:24:25,420 --> 00:24:25,750
Right.
452
00:24:26,550 --> 00:24:28,969
And these tools, as you might imagine, are a
453
00:24:28,969 --> 00:24:34,140
lot easier than going server to server by hand.
454
00:24:35,340 --> 00:24:39,160
These tools, especially the enterprise ones, can crawl your entire
455
00:24:39,160 --> 00:24:43,340
environment, identify every cert that’s in use, show the details
456
00:24:43,350 --> 00:24:48,020
about its creation, who issued it, its expiration date, et cetera.
457
00:24:48,639 --> 00:24:51,484
Then you can point them to whatever new cert
458
00:24:51,639 --> 00:24:54,449
you want to use, and basically click a button—
459
00:24:54,810 --> 00:24:55,290
Ba-boom.
460
00:24:55,700 --> 00:24:58,430
—and then the certs get replaced, whether it’s
461
00:24:58,430 --> 00:25:03,220
immediately, or just upon, you know, a day before expiry.
462
00:25:04,530 --> 00:25:07,379
And I know I’m not exactly making this clear, but for people of
463
00:25:07,860 --> 00:25:11,700
a certain age, everything I just described is basically magic.
464
00:25:12,049 --> 00:25:12,619
It is.
465
00:25:13,080 --> 00:25:16,960
I remember, the same company that I was working for, we not only
466
00:25:16,960 --> 00:25:20,140
had internal websites, but we had a couple public-facing websites.
467
00:25:21,139 --> 00:25:24,090
And so, in order to secure those public-facing
468
00:25:24,099 --> 00:25:26,679
websites, we had to procure certificates.
469
00:25:27,240 --> 00:25:29,850
And this was, I want to say, like, 2004,
470
00:25:32,360 --> 00:25:33,620
2005-ish timeframe.
471
00:25:33,620 --> 00:25:35,450
So, a while [laugh]
472
00:25:36,370 --> 00:25:41,400
.
The process to get an SSL certificate—and this was just for a single
473
00:25:41,400 --> 00:25:48,910
domain—required you to fill out a form, and then you had to put in the request,
474
00:25:49,760 --> 00:25:53,540
and then they would ask for additional information about your business, and then
475
00:25:53,540 --> 00:25:58,670
you’d have to verify that you are, in fact, from that business through something
476
00:25:58,679 --> 00:26:03,909
that was either notarized, or you had to send it with the correct from address.
477
00:26:03,920 --> 00:26:07,400
There was, like, three or four different ways to attest that you are,
478
00:26:07,400 --> 00:26:11,920
in fact, the business that has legal ownership over this domain name.
479
00:26:12,200 --> 00:26:14,900
And then they would finally issue you the certificate.
480
00:26:15,639 --> 00:26:18,740
Which is why a lot of companies just went and got wildcard
481
00:26:18,740 --> 00:26:22,700
certificates, which basically matches any subdomain
482
00:26:23,059 --> 00:26:25,770
of the domain you’re getting the certificate for.
483
00:26:25,770 --> 00:26:34,059
So, if your certificate is for *.bobsgumbo.com, any subdomain—dub-dub-dub,
484
00:26:34,710 --> 00:26:41,530
mail, blog, whatever—dot bobsgumbo.com would match that certificate.
485
00:26:42,080 --> 00:26:45,360
So, you’d have one certificate that you’d use for everything.
486
00:26:45,360 --> 00:26:49,330
That wasn’t terribly secure, it’s a bad idea, but the amount of work
487
00:26:49,340 --> 00:26:52,149
you had to go through to get that certificate in the first place
488
00:26:52,490 --> 00:26:56,210
made it worthwhile to get the wildcard cert and just roll with that.
489
00:26:56,950 --> 00:27:00,320
So, what I’m hearing is you also used to have to work with VeriSign.
490
00:27:00,860 --> 00:27:01,490
Yes.
491
00:27:01,830 --> 00:27:05,320
And it was so goddamn painful [laugh] . They
492
00:27:05,320 --> 00:27:08,960
also had different levels of SSL certificates.
493
00:27:08,960 --> 00:27:12,049
And I say SSL because that’s what it was at the time,
494
00:27:12,050 --> 00:27:15,919
before we switched to TLS—same technology, different name—
495
00:27:16,580 --> 00:27:16,800
Right.
496
00:27:17,309 --> 00:27:23,470
They had extended validation or EV SSL certs, and for those, you had
497
00:27:23,470 --> 00:27:28,009
to do additional levels of validation that you were from the company
498
00:27:28,010 --> 00:27:30,830
you said you were, and that you own the domain, and you were the
499
00:27:30,830 --> 00:27:34,130
authority for that domain that you were requesting the certificate for.
500
00:27:34,520 --> 00:27:36,639
And they will charge you a comfortably
501
00:27:36,640 --> 00:27:39,280
large amount of money to get that EV cert.
502
00:27:39,580 --> 00:27:42,100
But then you could say, “Look at me, I have
503
00:27:42,100 --> 00:27:45,270
an EV cert.” And somehow that was better.
504
00:27:45,440 --> 00:27:47,070
There was a period of time when browsers
505
00:27:47,110 --> 00:27:50,950
actually had a different lock icon or color—
506
00:27:50,980 --> 00:27:52,089
Or a different color, right.
507
00:27:52,129 --> 00:27:56,950
If you were using an EV cert versus just a regular SSL cert.
508
00:27:57,340 --> 00:27:59,090
And that was, like, super important.
509
00:27:59,130 --> 00:28:02,170
And that’s why you would pay good money to one of these
510
00:28:02,170 --> 00:28:05,570
companies, was to get that reassuring, different lock color.
511
00:28:06,360 --> 00:28:07,620
These days, no one gives a shit.
512
00:28:08,770 --> 00:28:09,240
True.
513
00:28:10,000 --> 00:28:14,210
Certificates used to be issued for a year, two years at a time.
514
00:28:14,670 --> 00:28:19,190
Now, the average certificate is valid for between 30 and 60 days.
515
00:28:19,940 --> 00:28:21,970
And it gets renewed automatically.
516
00:28:22,320 --> 00:28:25,319
And it uses that ACME protocol, and it’s probably using, like, Let’s Encrypt.
517
00:28:26,250 --> 00:28:32,409
And that has really changed the whole way in which certificates are issued,
518
00:28:32,800 --> 00:28:37,660
and the value behind an individual certificate, for the better, I think.
519
00:28:37,880 --> 00:28:39,820
We have a much more secure web because of it.
520
00:28:40,190 --> 00:28:43,529
But it does mean that a lot of these older companies don’t have
521
00:28:43,530 --> 00:28:48,190
the cash flying in that they used to, and that may lead them to cut
522
00:28:48,190 --> 00:28:52,930
some corners because they don’t have this just, you know, companies
523
00:28:52,940 --> 00:28:56,350
backing up the dump truck of money to get the certificates from them.
524
00:28:56,960 --> 00:29:01,480
It’s almost like they could, instead of rent-seeking, they could innovate.
525
00:29:02,059 --> 00:29:03,360
Wh-whoa.
526
00:29:03,360 --> 00:29:03,629
Whoa.
527
00:29:03,780 --> 00:29:04,920
Now you’re talking crazy.
528
00:29:04,959 --> 00:29:05,909
I’ve gone too far.
529
00:29:06,469 --> 00:29:08,700
So, let me ask you, is Entrust using AI?
530
00:29:09,070 --> 00:29:09,100
[laugh]
531
00:29:09,420 --> 00:29:12,130
.
You know, I haven’t looked into that.
532
00:29:12,130 --> 00:29:13,530
But I’m going to go with yes.
533
00:29:14,120 --> 00:29:17,420
Breaking news—and I just saw this morning, so I haven’t really had a
534
00:29:17,420 --> 00:29:21,230
chance to dig into it, but apparently DigiCert, which was one of the other
535
00:29:21,500 --> 00:29:26,250
certificate authorities you mentioned, has issued guidance that they’re
536
00:29:26,250 --> 00:29:31,850
revoking a subset of their TLS certificates due to a non-compliance issue
537
00:29:32,090 --> 00:29:37,649
with domain control verification, and this may cause temporary disruptions
538
00:29:37,650 --> 00:29:42,029
to website services and applications relying on these certificates.
539
00:29:42,870 --> 00:29:45,860
DigiCert has notified affected customers, so if you are one of those
540
00:29:45,860 --> 00:29:49,720
customers, if you’re using DigiCert today, you might want to check
541
00:29:49,730 --> 00:29:54,210
on that because they are revoking a lot—not a ridiculous amount, but
542
00:29:54,219 --> 00:29:58,720
they’re revoking a decent number of certificates for websites out there.
543
00:29:58,770 --> 00:30:01,250
And if you happen to be browsing the web in the next week,
544
00:30:01,390 --> 00:30:04,540
you might come across one of these revoked certificates.
545
00:30:05,110 --> 00:30:09,639
And then, if you do, you’ll see the system operating as expected.
546
00:30:10,490 --> 00:30:14,590
[laugh] . What’s actually funny is that a lot of browsers don’t actually check
547
00:30:15,330 --> 00:30:19,740
the CRL—which is the Certificate Revocation List—they don’t actually check it.
548
00:30:19,930 --> 00:30:22,960
They just check the validity period of the certificate, and as long
549
00:30:22,960 --> 00:30:26,870
as the cert is valid and comes from a trusted CA, they stop there.
550
00:30:27,070 --> 00:30:28,769
Because hitting the CRL is more work.
551
00:30:29,549 --> 00:30:31,820
Man, you really are just bringing the sunshine today, aren’t you?
552
00:30:32,600 --> 00:30:37,479
[laugh] . I have been too deeply steeped in PKI and CA stuff
553
00:30:37,490 --> 00:30:42,010
for years, and I’ve grown to hate almost everything about it.
554
00:30:43,220 --> 00:30:46,179
[laugh] . I can understand why.
555
00:30:47,250 --> 00:30:48,840
Hey, thanks for listening, or something [laugh] . I
556
00:30:49,219 --> 00:30:51,980
guess you found it worthwhile enough if you made it all
557
00:30:51,980 --> 00:30:54,630
the way to the end, so congratulations to you, friend.
558
00:30:54,980 --> 00:30:56,510
You accomplished something today.
559
00:30:56,520 --> 00:30:58,810
Now, you can go sit on the couch, fire up the DigiCert
560
00:30:59,330 --> 00:31:02,050
website, and see if your certificates have been revoked.
561
00:31:02,330 --> 00:31:03,030
You’ve earned it.
562
00:31:03,300 --> 00:31:05,849
You can find more about this show by visiting our LinkedIn page,
563
00:31:05,860 --> 00:31:09,669
just search ‘Chaos Lever,’ or go to our website, chaoslever.com
564
00:31:09,670 --> 00:31:12,910
where you’ll find show notes, blog posts, and general tomfoolery.
565
00:31:12,910 --> 00:31:16,590
And if you have anything to add to this certificate authority conversation,
566
00:31:16,840 --> 00:31:19,500
we’d love to hear about it, so leave us a voicemail or a comment.
567
00:31:19,870 --> 00:31:22,420
We’ll be back next week to see what fresh hell is upon us.
568
00:31:22,870 --> 00:31:23,640
Ta-ta for now.
569
00:31:31,630 --> 00:31:32,450
Yeah, it’s pretty funny.
570
00:31:32,450 --> 00:31:35,730
I forgot about your… let’s call it, passionate
571
00:31:35,920 --> 00:31:38,879
experiences with certifications and the like.
572
00:31:39,309 --> 00:31:42,040
Had I been paying more attention, I would have just made you write this one.
573
00:31:43,290 --> 00:31:46,800
[laugh] . I already assigned you something this week and you just ignored it.
574
00:31:47,420 --> 00:31:47,970
Ignored what?
Listen On
