well the “but since that writing” point most probably have NOTHING to do with HTTPS in the first place but the fact that
a) the server was not secured so attackers could get the data
b) the data, especially the passwords were badly secured (e.g. in yahoo’s case hashed with MD5)
as you said, data at rest vs at target. and HTTPS cannot be used for data at rest, you need something else for that, like doing the handling of payments and other secure data on a "“blackbox server” which is even a blackbox for the web server and the webserver just forwards all the secure data to it and make sure the server can ONLY be accessed by those APIs from any server, and only a highly secure admin login can get into the server itself.
so the webserver would tell the Security server “I have a login for user x with password y” and then the sec server could
a) also handle the sessions
b) just tell a (signed) Okay or not okay message and the web server then does the session handling.
and for things like Payments, the webserver would just tell the securityserver “The user x wants to pay amount y with CC information z”
and now there are 2 options for the security server as well
a) the security server handles all the payment interactions by itself and replies with the result
b) the security server tells the web server how to interact with the payment service (API URLs and so on) and the webserver does the interaction.
and while I honestly think that 90 days are annoying at any place where you cant properly automate the stuff there certainly are good reasons for shorter cert times.
Simply said, revocation handling on anything except for EV certs is plain trash.
go open chrome on your phone and type in:
more likely than not you will not get a cert warning but a site stating that your browser is revocation unaware.
more on that here:
CDNs on the other end, are their complete own problem, yeah it is possible that CDNs can get problems, but especially making the delivery of static stuff, especially BIG static stuff or static stuff that gets a metric ton of accesses (or both) can really have help from that standpoint, Steam for example is using akamai as a CDN, and guess what, even they get DoS big time when the Summer and xmas come due to the sheer amount of people. imagine the situation without CDN, with the servers experiencing a much heavier load due to also having to also deal with static files.