> DoD Cyber Exchange site is undergoing a TSSL Certification renewal
TSSL renewal does not cause downtime.. If it's actually done of course.
petcat 18 minutes ago [-]
Is there anything inherently insecure about an expired cert other than your browser just complaining about it?
zeroxfe 13 minutes ago [-]
Expiries are a defence-in-depth that exist primarily for crypt hygiene, for example to protect from compromised keys. If the private key material is well protected, the risk is very low.
However, an org (particularaly a .mil) not renewing its TLS certs screams of extreme incompetence (which is exactly what expiries are meant to protect you from.)
mr_mitm 13 minutes ago [-]
No, but it reflects poorly on the maintainer. Plus, any browser complaint contributes to error fatigue. Users shouldn't just ignore these, and we shouldn't encourage them to ignore them just because we fail at securing our websites.
UqWBcuFx6NV4r 8 minutes ago [-]
“No, but it reflects badly because it’s an error, and because it’s an error it contributes to error fatigue, which is bad” is a very verbose way to say that you don’t have an answer.
macintux 5 minutes ago [-]
Your comment history reflects a persistent approach: insulting the person you're replying to.
There is a reason why certs have expiration dates. It's to control the damage after the site owner or someone else in the cert chain messes up. That doesn't mean they are inherently bad, only that you should still care about it.
gpvos 31 seconds ago [-]
On the contrary, it's a very precise answer.
Manfred 14 minutes ago [-]
To prevent abuse, for example to prevent an old owner of domain to have a valid certificate for the domain indefinitely after transfer.
sciencejerk 9 minutes ago [-]
Yes. Visitors to the site are vulnerable to Man in the Middle (MitM) attacks, IF they click past the warning (which many people do)
7 minutes ago [-]
LadyCailin 4 minutes ago [-]
That’s not true. The encryption still works as well as it did 3 days ago, and doesn’t care if the certificate is expired.
belter 5 minutes ago [-]
[dead]
m348e912 13 minutes ago [-]
Not inherently, but it can introduce risk. Such as a bad actor using an old expired certificate it was able to acquire to play man-in-the-middle. But if that is happening you have bigger problems.
PilotJeff 3 minutes ago [-]
Can you live without your immune system? Sure, for a little while. It’s the defense against man in the middle and many other things.
Spooky23 15 minutes ago [-]
It's a pretty dopey thing to miss.
ddtaylor 7 minutes ago [-]
MITM
tuwtuwtuwtuw 18 minutes ago [-]
> Users on civilian network can continue downloads through the Advance tab in the error message.
Good stuff.
DANmode 9 minutes ago [-]
“Do you want it or not?”
…or were you referring to the piss-poor English used? ^_^
whalesalad 6 minutes ago [-]
"We have sent you a OTP code of 459-312 please check your device and enter this code below"
dmitrygr 19 minutes ago [-]
So what? They keep shortening the validity length of these certificates, making them more and more of a pain to deal with.
SAI_Peregrinus 6 minutes ago [-]
And in turn making revocation less & less of a pain. Since that was more of the pain, overall it's getting easier.
gslepak 13 minutes ago [-]
Using old compromised certificates is a legitimate MITM attack vector.
dmitrygr 12 minutes ago [-]
Which would make sense if they were valid for 10 years and somebody forgot about them. Not when they’re valid for, what is it now, 40 days?
smashed 5 minutes ago [-]
An official government source is teaching users to ignore security warnings about expired certificates.
Mistakes happen, some automation failed and the certs did not renew on time, whatever. Does not inspire confidence but we all know it happens.
But then to just instruct users to click through the warning is very poor judgement on top of poor execution.
dmitrygr 1 minutes ago [-]
This was the predictable outcome of shortening certificate length validity to appoint where they are now.
hhh 18 minutes ago [-]
because you need to automate it
dmitrygr 17 minutes ago [-]
Which is yet another chore. And it doesn’t add any security. A certificate expired yesterday proves I am who I am just as much as it did yesterday. As long as the validity length is shorter than how long it would take somebody to work out the private key from the public key, it is fine.
bombcar 16 minutes ago [-]
Shortening certificate periods is just their way of admitting that certification revocation lists are absolutely worthless.
nathanaldensr 12 minutes ago [-]
Right. It's the same debate about how long authorization cookies or tokens should last. At one point in time--only one--authentication was performed in a provable enough manner that the certificate was issued. After that--it could be seconds, hours, days, years, or never--that assumption could become invalid.
danesparza 13 minutes ago [-]
An expired cert is a smell. It shows somebody isn't paying attention.
And a short expiration time absolutely increases security by reducing attack surface.
ajsnigrutin 11 minutes ago [-]
Or that someone asked to renewed it, one of their four bosses didn't sign off the apropriate form, the only person to take that form to whoever does the certs is on a vacation, person issuing certs needs all four of his bosses to sign it off, and one of those bosses has been DOGE-ed and not yet replaced.
expired letsencrypt cert on a raspberrypi at home smells of not paying attention... with governments, there are many, many points of failure.
dmitrygr 9 minutes ago [-]
It did until it got so short that it created a new potential attack surface — the scripts everyone is using to auto update them.
organsnyder 6 minutes ago [-]
Compared to the manual processes these scripts replaced, I'd put more trust in the automations.
dmitrygr 31 seconds ago [-]
And the original article shows you how that is going
dpoloncsak 15 minutes ago [-]
Isn't that why certificates expire, and the expiry window is getting shorter and shorter? To keep up with the length of time it takes someone to crack a private key?
shagie 5 minutes ago [-]
It's also a "how much exposure do people have if the private key is compromised?"
Yes, its to make it so that a dedicated effort to break the key has it rotated before someone can impersonate it... its also a question of how big is the historical data window that an attacker has i̶f̶ when someone cracks the key?
dmitrygr 11 minutes ago [-]
No. The sister comment gave the correct answer. It is because nobody checks revocation lists. I promise you there’s nobody out there who can factor a private key out of your certificate in 10, 40, 1000, or even 10,000 days.
dpoloncsak 6 minutes ago [-]
I thought I remembered someone breaking one recently, but (unless I've found a different recent arxiv page) seems like it was done using keys that share a common prime factor. Oops!
On the one side all the users will need to prove their ID to access websites, and on the website side the site will have to ask permission to continue operating at ever increasing frequency.
That is the future we have walked into.
k33n 10 minutes ago [-]
DNSSEC+DANE will fix it. Soon we will have self-signed certificates once again!
Rendered at 16:07:00 GMT+0000 (Coordinated Universal Time) with Vercel.
TSSL renewal does not cause downtime.. If it's actually done of course.
However, an org (particularaly a .mil) not renewing its TLS certs screams of extreme incompetence (which is exactly what expiries are meant to protect you from.)
Please reflect on the site guidelines. https://news.ycombinator.com/newsguidelines.html
Good stuff.
…or were you referring to the piss-poor English used? ^_^
Mistakes happen, some automation failed and the certs did not renew on time, whatever. Does not inspire confidence but we all know it happens.
But then to just instruct users to click through the warning is very poor judgement on top of poor execution.
And a short expiration time absolutely increases security by reducing attack surface.
expired letsencrypt cert on a raspberrypi at home smells of not paying attention... with governments, there are many, many points of failure.
Yes, its to make it so that a dedicated effort to break the key has it rotated before someone can impersonate it... its also a question of how big is the historical data window that an attacker has i̶f̶ when someone cracks the key?
Fwiw: https://arxiv.org/abs/2512.22720
That is the future we have walked into.