Learned a cute little trick on github today and figured I’d share in case there are others like me who didn’t know this.

If you are using a chrome/chromium based browser and hit a site with an expired certificate, you can click anywhere in the whitespace of the error page, type “thisisunsafe” (all one word), hit enter, and be brought to the page.

Right now https://nitter.net is having certificate issue so you can test it there.

Anyway, obviously be careful because bypassing a warning about an expired certificate is potentially dangerous.

⤋ Read More

@abucci@anthony.buc.ci I literally had to fix an outage this weekend caused by a weird certificate. Not external facing, but the security risk caused by it was nonexistent, and yet, it was implemented as a requirement and caused random unexpected breakage when it expired itself.

⤋ Read More

@abucci@anthony.buc.ci I think TLS is fine. I think PKI is a crock of garbage, because most participants in PKI are garbage, and Google has complete capture of it and makes decisions that work best for it, and not the real world.

Ultimately what I think should happen for certificate expiration is browsers should soft-warn for like a week or two after expiry, with like a yellow address bar, as opposed to trying to block navigation. The risk of an expired cert just doesn’t justify browser behavior.

⤋ Read More

@abucci@anthony.buc.ci Whether warning before or after the date is somewhat immaterial, except it slides the sysadmin window even narrower, for no good reason. Google’s already aggressively forced everyone to a 12 month deadline. Not everything supports Let’s Encrypt. And so every year we have a window where I have to rush around and update all the certs before the expiration date, but if I start the process too soon, then I am doing it every eleven months, because of that absolute 12 month cap.

And again, there’s nothing inherently less secure about a 13 month old cert than a 12 month old cert. About 99% of certificate behavior is security theater and Google flexing it’s ability to force everyone to do what it says.

⤋ Read More

Participate

Login to join in on this yarn.