• 486@lemmy.world
    link
    fedilink
    English
    arrow-up
    108
    ·
    11 days ago

    I understand their reasoning behind this, but I am not sure, this is such a good idea. Imagine Letsencrypt having technical issues or getting DDoS’d. If the certificates are valid for 90 days and are typically renewed well in advance, no real problem arises, but with only 6 days in total, you really can’t renew them all that much in advance, so this risk of lots of sites having expired certificates in such a situation appears quite large to me.

    • Justin@lemmy.jlh.name
      link
      fedilink
      English
      arrow-up
      19
      arrow-down
      2
      ·
      11 days ago

      That’s true, but it would also have to be a serious attack for LE to be down for 3 entire days. There are multiple providers for automated certs, so you could potentially just switch if needed.

        • Justin@lemmy.jlh.name
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          1
          ·
          edit-2
          9 days ago

          Most companies weren’t suited for automatic certs either, but now they are

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        17
        ·
        edit-2
        10 days ago

        The attack would only need to last for a day or two, and then everyone requesting updated certs when it stops could push enough people outside the 6-day window to cause problems. 6 days is probably long enough to not be a huge issue, but it’s getting close to problematic. Maybe change to 15 days, which should avoid the whole issue (people could update once/week and still have a spare week and a day to catch issues).

    • frezik@midwest.social
      link
      fedilink
      English
      arrow-up
      5
      ·
      edit-2
      10 days ago

      I volunteer to help with IT at a makerspace, and I hesitate to go for 6 day expiration times. As volunteers, we can’t always fix problems in a timely way like paid IT staff could. We try to automate the hell out of everything, but certs have gone a day or two without getting updated before.

    • Azzu@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      19
      ·
      10 days ago

      No one forces you to use let’s encrypt certificates. Can just quickly switch to another one temporarily.

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        17
        ·
        10 days ago

        Yeah, if you notice within that 6-day window before it expires. If you don’t catch it, your service could be down while you fix it, and that’s bad.

          • Ænima@lemm.ee
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            1
            ·
            10 days ago

            Yeah you might be on vacation when it happens

            What the fuck is a vacation?

            • superkret@feddit.org
              link
              fedilink
              English
              arrow-up
              3
              ·
              9 days ago

              It’s a recent European invention, where you travel to other countries without your army.

              • Ænima@lemm.ee
                link
                fedilink
                English
                arrow-up
                2
                ·
                9 days ago

                But what if my army gets sad without me? What if I bring just some army? Ya know, in a travel carrier.

          • oldfart@lemm.ee
            link
            fedilink
            English
            arrow-up
            1
            ·
            10 days ago

            And then you forget about CAA records and wonder why it’s not working