Let's Encrypt soon starts offering TLS certificates with just 6 days of lifetime. It's just an option and the 90 day certs are also still offered but I doubt that this will add a lot of security.
https://letsencrypt.org/2025/01/16/6-day-and-ip-certs/
Based on the number of occasions, I already had problems with the 90days renewals in the past (software bugs and human error), I see this the value in this move rather sceptical.
@dianasusanti : very good! It would help if more people did that.
Of course "avast-pdq dot com" sounds weird, but these scammers also had: (or still have, I'm not sure):
avast-antivirus dot com
(see https://www.virustotal.com/gui/domain/avast-antivirus.com/summary).
HOWEVER: it is too hard for most people and simply insufficient. There are a lot of fake webshops, of whom you don't know the domain name in advance.
A domain name is a *unique* identification (good!) but it does *not* identify (bad!) who is responsible for a website.
Certificates *used* to provide that information, but Big Tech insisted on "simpler", in fact anonymous, certificates - as can be seen below. There is *no* information regarding the owner of the website, including their country of jurisdiction.
We were used to visit shops in streets. It is extremely hard to run a fake physical shop (or bank with a counter and employees), while it is incredibly easy to create an anonymous website that may mimic everything the scammers want.
Perhaps there were more scammers on pasars (markets) because a new salesperson can appear any day - possibly without permits. Doing that in an actual building is harder.
P.S. a site to look up certificates is https://crt.sh (example: https://crt.sh/?q=google-ivi.com).
![A screenshot of the Chrome browser on Android with the following website opened:
https://play dot google-ivi dot com
after tapping the two "tea spoons" at the left of the address bar. Seen can be what Chrome shows in it's built-in certificate viewer. The following info is visible (I changed . into [.] to prevent accidental opening):
CERTIFICATE VIEWER
google-ivi[.]com
ISSUED TO
Common Name (CN)
google-ivi.com
Serial Number
55:7F:71:81:D6:DB:AD:D2:11:4D:8B:75:5A:9D:B5:45
ISSUED BY
Common Name (CN)
WE1
Organization (0)
Google Trust Services
VALIDITY PERIOD
Issued On
Jan 16, 2025
Expires On
Apr 16, 2025
SHA-256 FINGERPRINTS
Certificate
12 2C BD 88 C7 C5 B1 01 DO A4 1B 6A 4E
D3 41 CF FE 4E 3E 1D 1D 11 DE 18 BB 47
30 19 D3 1A 78 20
Public Key
DO 7E B2 67 58 98 BB 41 0C A3 1D 58 80
BE 9E A2 73 94 F7 FC 86 B7 41 C5 7A A0
6D 00 D7 63 D3 3D
EXTENSIONS
Certificate Subject Alternative Name
google-ivi[.]com
*.google-ivi[.]com](https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/990/171/589/309/504/original/7c614bb0894ef979.jpeg "A screenshot of the Chrome browser on Android with the following website opened:
https://play dot google-ivi dot com
after tapping the two \"tea spoons\" at the left of the address bar. Seen can be what Chrome shows in it's built-in certificate viewer. The following info is visible (I changed . into [.] to prevent accidental opening):
CERTIFICATE VIEWER
google-ivi[.]com
ISSUED TO
Common Name (CN)
google-ivi.com
Serial Number
55:7F:71:81:D6:DB:AD:D2:11:4D:8B:75:5A:9D:B5:45
ISSUED BY
Common Name (CN)
WE1
Organization (0)
Google Trust Services
VALIDITY PERIOD
Issued On
Jan 16, 2025
Expires On
Apr 16, 2025
SHA-256 FINGERPRINTS
Certificate
12 2C BD 88 C7 C5 B1 01 DO A4 1B 6A 4E
D3 41 CF FE 4E 3E 1D 1D 11 DE 18 BB 47
30 19 D3 1A 78 20
Public Key
DO 7E B2 67 58 98 BB 41 0C A3 1D 58 80
BE 9E A2 73 94 F7 FC 86 B7 41 C5 7A A0
6D 00 D7 63 D3 3D
EXTENSIONS
Certificate Subject Alternative Name
google-ivi[.]com
*.google-ivi[.]com")
@AbelAmutxategi como el servicio es solo para ti, puedes hacerte tu propia CA, y en las extensiones de certificados indicar IP.
Why I Understand Hoarders
To be clear, I am not a hoarder. I have downsized more often than I can count and I regularly donate items to the thrift store. At the same time, I have some things that are very hard to dispose of.
This week, my focus is on the artwork created by my late husband. He was very talented at drawing and painting and he occupied a lot of his work time and personal time being creative. Some of his works are excellent, some are okay, and some are . . . well, not great. That’s what the creative life is like. Variable.
At some point, I forwarded some of his best works to family members and friends so that they all could have a creative remembrance of him. But even after that, I still have a lot of drawings, paintings, and notes to make decisions about.
There are some excellent pieces, some okay pieces, and some not-so-great pieces that all occupy a space in my apartment, and I don’t know what to do with it all. The not-knowing is the hard part. I emailed my children to see if they wanted any of it, and they declined. So, the choices are left to me but they are not easy choices.
When I mentioned my dilemma to a friend she shared her own question about what to do with her late husband’s many award plaques that were of value to him, and appreciated by those who loved him, but otherwise not destined for display.
How do you dispose of artwork, or certificates of excellence, or plaques for awards, when their recipient has passed on? They all belong in the category of too-extraneous-to keep-but-too-good-to-trash, and they cannot easily be thrown in a dumpster.
As such, today I chose a compromise. I met with a photographer who specializes in artwork to have some of my husband’s illustrations digitized. Many decades ago my husband created two books for children on watercolour paper, but they were never published. Since then they have languished in a portfolio which has been relocated multiple times and now sits under my guest-room bed.
When I showed the pages to the photographer we discussed how best to deal with the stains from moisture, the leaching from adjacent pages, and warping. We were talking about many decades of neglect. Ultimately, though, he thought that he and his computer could do them justice. I will be interested to see what he comes up with.
The question I am still left with now, though, is what I should do with the originals. I don’t know if I am capable of putting them in the garbage containers in my apartment building. I don’t even know if I could put them in the paper recycling bin. Does anyone know? Perhaps they are just trash. Either way, I think I’ll simply ask the photographer to do it. I might even pay him to do it. That’s a good hoarder’s solution, don’t you think?
New 6-days Validity of Let’s Encrypt Certificates
I just saw this great news: Let’s Encrypt Announces 6-day Validity Certificates
Let’s Encrypt, the non-profit certificate authority, has introduced six-day validity certificates, commonly referred to as short-lived certificates.
Shorter validity periods are great for security. Traditional certificates can last up to a year, meaning if they get compromised, they remain a threat for a long […]
https://www.locked.de/new-6-days-validity-of-lets-encrypt-certificates/
#Certificates #LetsEncrypt #Security
What happens when Let's Encrypt does an OpenAI move and switches to for-profit after certificate expiry times are reduced to less than 1 week?
#letsencrypt #resilience #tls #ssl #certificates
All I'm saying is that it's a huge dependency especially if other TLS stakeholders want to minimize the window of valid certificates. We're increasing fragility by depending on Let's Encrypt.
Everybody should have #fun with #Apple #certificates and #provisioning profiles at 5 am in the #morning.
I believe one should not be promoting biometrics for #authentication.
It is also questionable whether no longer being able to create #pseudonymous accounts is desirable, once service providers are no longer offering accounts except under terms that mandate non-repudiation – or, in other words, enforce signups with credentials that are linked to your real identity. It's their choice, and you can't force them not to make it, once the infrastructue is in place, and widely used.
Another problem that keeps being ignored: there's no "Let's encrypt" for digital IDs. You need to spend money, periodically, on creating and renewing #certificates. Even if your country gives you a free option, it'll be one that links to your real identity, as well.
Let's Encrypt ending expiration emails
#certificates #ssl #mail #email #letsencrypt #notifications #selfhosting #selfhosted
https://letsencrypt.org/2025/01/22/ending-expiration-emails/
So most things appear to be good after the swap, apart from the HTTPS cert.
It appears to have messed up the locally ACME issued cert. Manually triggering provisioning a new cert has fixed things.
https://blog.hardill.me.uk/2024/06/22/enabling-https-for-my-router/
@jwijnings : community-based klinkt leuk, maar ik vrees dat dit niet werkt in de praktijk: criminelen zullen er *alles* aan doen om hun sites positief te laten scoren.
PGP is niet voor niets totaal niet schaalbaar gebleken, en criminelen hebben public keys op naam van anderen op publieke keyservers geplaatst - waar de mensen met die namen *niets* tegen kunnen doen.
En een browser-plugin is véél te vrijwillig, dat wordt niks.
Linksom of rechtsom ontkom je er m.i. niet aan om één of meer derde partijen (certificaatuitgevers) te vertrouwen, die (meer of minder betrouwbaar) de identiteit van verantwoordelijken voor websites vaststellen (maar dit moet je beslist niet aan big tech zelf overlaten, zoals nu gebeurt).
De "community" (betrouwbare daaruit, en/of objectieve auditors) zouden vervolgens herhaaldelijk moeten vaststellen hoe betrouwbaar elke *CERTIFICAAT-UITGEVER* is.
• Van elke website waarvan de verantwoordelijke ANONIEM is, moeten browsers dit klip en klaar aangeven (en bij doorklikken op de risico's wijzen.
• Van elke website waarvan de verantwoordelijke NIET anoniem is, moeten browsers het volgende klip en klaar aangeven:
1) wie de verantwoordelijke is
2) hoe betrouwbaar de identiteit van de verantwoordelijke is vastgesteld
3) hoe betrouwbaar de certificaatverstrekker door "de community" voor het laatst werd beoordeeld, wanneer en door wie.
En dit alles met eenvoudig vindbare uitgebreide en duidelijke toeliching waar de internetter rekening mee moet houden, inclusief dat een https websitecertificaat *NIETS* zegt over de betrouwbaarheid van die site en diens eigenaar, maar wel dat je weet HOE BETROUWBAAR je weet WIE DE VERANTWOORDELIJKE is.
Alle info over de verantwoordelijke hoeft niet bij elk bezoek in je gezicht te worden gedrukt, maar in elk geval bij het eerste bezoek van een domeinnaam, en bij elke certificaatswijziging. Geo-info over het actuele IP-adres (vestigingsland) kan ook zinvol zijn.
Om dit effectief uit de grond te stampen, moet de EU elke browsermaker verplichten om dit te faciliteren. Zonder dwang wordt het niks.
P.S. ik weet nu ook een phishing domeinnaam met "google" er in, die zich afgelopen jaar achter Cloudflare verstopte - en was voorzien van een door GOOGLE uitgegeven certificaat.
Het kan big tech echt geen ruk schelen.
De meeste mensen zien het niet, maar met een beetje zoeken ontdek je al snel dat we, bij het internetten, aan het koorddansen zijn - zonder evenwichtsstok en zonder valbescherming.
Via een domeinnaam in https://blog.sekoia.io/targeted-supply-chain-attack-against-chrome-browser-extensions/ vond ik weer een hele reeks IP-adressen in de US en FR met bergen nepsites, met o.a. waadaardige Chrome extensies zoals hieronder te zien is (uit https://www.virustotal.com/gui/domain/chatgptextension.site/relations):
![Screenshot van een deel van de webpagina uit https://www.virustotal.com/gui/domain/chatgptextension.site/relations
Toelichting, te zien is dat:
1) Passive DNS Replication
Op welke IP-adressen is de domeinnaam "chatgptextension[.]site" laatst gespot (ik heb [ en ] om de punt gezet om per ongeluk openen te voorkómen):
2) Per (Sub-)Domeinnaam, op welke IP-adressen zijn deze gespot:
• chatgptextension[.]site (op dit moment) door 9/94 virusscanners als kwaadaardig wordt beschouwd en dat deze domeinnaam resolvde naar de volgende IP-adressen:
laatste: 149.248.2.160
eerder: 137.220.48.214
• api.chatgptextension[.]site (2/94):
laatste: 149.248.2.160
3) Communicating Files
Te zien is ook dat er een Chrome browserextensie bestaat met de naam "didhgeamncokiaegffipckhhcpnmlcbl.crx" die op dit moment door 14/61 virusscanners als kwaadaardig word beschouwd, van waaruit verbinding wordt gemaakt met chatgptextension[.]site.
4) Files Referring
Ten slotte is te zien is dat er een Javascript bestand genaamd "background.js" bestaat met daarin een verwijzing naar chatgptextension[.]site. Dat bestand wordt door 19/61 virusscanners als kwaadaardig beschouwd.](https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/877/945/111/709/510/original/e14f5ba9b08de319.jpg "Screenshot van een deel van de webpagina uit https://www.virustotal.com/gui/domain/chatgptextension.site/relations
Toelichting, te zien is dat:
1) Passive DNS Replication
Op welke IP-adressen is de domeinnaam \"chatgptextension[.]site\" laatst gespot (ik heb [ en ] om de punt gezet om per ongeluk openen te voorkómen):
2) Per (Sub-)Domeinnaam, op welke IP-adressen zijn deze gespot:
• chatgptextension[.]site (op dit moment) door 9/94 virusscanners als kwaadaardig wordt beschouwd en dat deze domeinnaam resolvde naar de volgende IP-adressen:
laatste: 149.248.2.160
eerder: 137.220.48.214
• api.chatgptextension[.]site (2/94):
laatste: 149.248.2.160
3) Communicating Files
Te zien is ook dat er een Chrome browserextensie bestaat met de naam \"didhgeamncokiaegffipckhhcpnmlcbl.crx\" die op dit moment door 14/61 virusscanners als kwaadaardig word beschouwd, van waaruit verbinding wordt gemaakt met chatgptextension[.]site.
4) Files Referring
Ten slotte is te zien is dat er een Javascript bestand genaamd \"background.js\" bestaat met daarin een verwijzing naar chatgptextension[.]site. Dat bestand wordt door 19/61 virusscanners als kwaadaardig beschouwd.")
Google is kwaadaardig
Extreem zelfs, zij hosten -zonder blikken of blozen- zelfs phishingwebsites met de volgende URL's (ik heb ".com" vervangen door "·com", met "hoge" punt, en de '/' door '⧸', om onbedoeld openen te voorkómen):
https:⧸⧸helpdesk-google·com
https:⧸⧸cancel-google·com
https:⧸⧸adsupport-google·com
Veel meer info in https://www.security.nl/posting/872651/https%3A__cancel-google%C2%B7com.
Edit 15:14: ik zie dat de redactie van security.nl mijn artikel heeft verwijderd (tot zover vrijheid van meningsuiting). Ik had het artikel gearchiveerd: https://archive.is/3UwWn.
If it's not DNS, it's certificates
https://stackoverflow.com/q/79340672/63009
https://github.com/docker/for-mac/issues/7520
rpki-client stricter aging policy for Trust Anchor certificates commited to -current https://www.undeadly.org/cgi?action=article;sid=20241219163800 #openbsd #rpki-client #rpki #routing #certificates #trustanchor #ta #networking #bgp #freesoftware #libresoftware
#Carbon #Certificates are BS cause they are wide open for fraud.
But not only carbon certificates .... most certificates are pure BS generating leech jobs without any value added.
#dw https://youtu.be/aU_S97Ae1eg
Short-Lived Certificates Coming to Let’s Encrypt
Starting next year:
Our longstanding offering won’t fundamentally change next year, but we are going to introduce a new offering that’s a big shift fr... https://www.schneier.com/blog/archives/2024/12/short-lived-certificates-coming-to-lets-encrypt.html
A Note from our Executive Director - Let's #Encrypt
Our longstanding offering won’t fundamentally change next year, but we are going to introduce a new offering that’s a big shift from anything we’ve done before - short-lived #certificates. Specifically, certificates with a lifetime of six days. This is a big upgrade for the #security of the #TLS ecosystem because it minimizes exposure time during a key compromise event.
#privacy #encryption
I have to have addons.mozilla.org access API key to sign an extension I will only use by myself, so I can not enable enabling unsigned extensions.
IMO this is what the enforcing of only either a CA based approach or an insecure approach, kicking out the self-signed option, leads to (yes, I am referring to TLS certificates).
