top | item 46281207

(no title)

joking | 2 months ago

My case, I have to manage a portal for old tvs and those don’t accept the LE root certificate since they changed a couple of years ago. Unfortunately the vendor is unable to update the firmware with new certificates and we are sold

discuss

aftbit|2 months ago

Yeah that LE root certificate change broke our PROD for about 25% of traffic when it happened. Everyone acts like we control our client's cert chains. Clients don't look at the failure and think "our system is broken - we should upgrade". They look at the connection failure and think "this vendor is busted - might as well switch to someone who works". I switched away from LE to the other free ACME provider for our public-facing certs after that.

nickf|2 months ago

Roots for all CAs are going to be rotating much more frequently now. Looking to be every 5 years.

account42|2 months ago

And your clients are right. The "security" community's wanton disregard for backwards compatibility is abhorrent.

deepsun|2 months ago

Well, how the vendor was going to apply other security updates if they cannot update their basic security trust store?

If the vendor is really unable to update, then it's at best negligence when designing the product, and at worst -- planned obsolescence.

michaelt|2 months ago

1. Ship the product with automatic updates delivered over https

2. Product is a smart fridge or whatever, reasonable users might keep it offline for 5+ years.

3. New homeowner connects it to the internet.

4. Security update fails because the security update server's SSL cert isn't signed by a trusted root.

lokar|2 months ago

Yeah, participation in web tls requires the ability to regularly update your server and client code.

Nothing stays the same forever, software is never done. It’s absurd pretend otherwise.