Maximum (and minimum) certificate lifetimes?

Hi,

i think that the privacy policy could be an real problem.

  1. If some user request information what is “stored” about him. The law does not have an exception for “commercially reasonable efforts”.
  • So if they say that backup tapes are you of scope this could be problematical
  1. Same problem with deletion requests. I am not sure if there are exceptions for backup tapes and limit to “commercially reasonable efforts”.
1 Like

But would that apply to services and data NOT hosted or residing in European jurisdiction?

Seems like this vane of conversation should be taken to the site feedback category.

2 Likes

At no time it was in the name. It's not Eletronic Freedom Foundation, but Electronic Frontier Foundation.

3 Likes

AFAIK this is not true. Currently the client does not update itself.
I've looked in the repo and in the source and could not find such a feature. Do you have any sources for this?

1 Like
2 Likes

There is no link, but he says "According to Firefox Telemetry" which clearly shows the source. I could not find this data in the public version of the dashboard, but keep in mind that Mozilla is a main sponsor of LE and so I'm sure @josh had access to this data and could evaluate it.
Anyway I've asked whether a dashboard with such information could be made available for anyone.

I don't know how that would make it less secure.
You can always create the CSR (certificate signing request) from the private key file, so the only thing which has to be kept on the server is the private key and this does not

You don't need to manually check or be notified for every certificate, because before any certificates issued it's checked whether this is possible for the domain. This is done by every CA and is not related to the cert lifetime.
So even if there are 2 certs valid for your domain (which should be the case at least 30 days long reality if you renew every 60 days and the certs expire every 90days) this does not decrease the security, because usually you are (or were) the only one who had access to the private keys of boths.
And if this is not the case and one private key was stolen this shows an advantage of 90day certs: The old cert with the old private key expires quite shortly and until your private key is stolen again you are secure.

1 Like


xkcd: Free Speech (CC-BY-NC licensed)

Until now they did not showed you the door...
And they respect your critism - I think that's very nice...

6 Likes

@rugk I think one time is enough.

1 Like

Yes, I fixed it. :blush:

2 Likes

So about the stats of the "29%" usage of 90day certs.

As you can see there I got some more information. I was wrong, because you can in fact find this statistic on the public telemetry dashboard. Here it is:
SSL_OBSERVED_END_ENTITY_CERTIFICATE_LIFETIME

When you look at the current statistic from Firefox Beta 43 you'll see that around 30% of all certificates there have a lifetime of around 90 days. This beats the 1 year or longer ones (around 21%). Only the 2 year or longer ones may together be more or less the same amount like the 90day certs if you start counting them at 728days. (together this are roughly 30%).
The data is taken from 2015/11/02 to 2015/11/16, so 15 days, where 6.51B samples where submitted.

2 Likes

well the question is: how wide is the beta used, I tried to check for the release 42 and 41 but found nothing…

1 Like

2015/11/03 to 2015/11/12 contain 6.506.614.838 samples.

  1. Does this mean so many different certificates analysed or https requests ?
  2. You can read the numbers also so that only less than 36% like to use certs with less then 51 weeks of validity.
    And 51% like 52 or more weeks.
    So if i am an marketeer i would say we use 52 weeks because this is the number that more than 1/2 of the interested people will like.
    Seconds you could grab CT server an analyze how many domain www. smtp. etc. count as one use what time.
    Because i think the stats for 12 Weeks are driven by maybe 2-5 global players only.
2 Likes

Question is also WHO are those 2-5 global players? Obviously google, but they dont count since they have an own intermediate under GeoTrust, meaning they sign themselves. And that intermediate is even more than 3 years valid.

2 Likes

You are correct - and I stand corrected. Thank you for catching it.

1 Like

Just FYI: You can also edit your posts.

1 Like

That's a good question and I don't know the answer. You may do a quick test and look at about:telemetry to find this out or - if you have programming knowledge - may look into the Firefox source.
If anyone finds it out (or knows it because he is a Firefox dev working at this feature) it would be nice if he could post it here.

Yeah, but IMO one third is already quite surprising as I do mostly see 1 year certs when I look at sites of mayor SSL vendors.
So if you take one year as the default it is much.

Yes this telemetry setting seems to be quite new. Additionally remember that Firefox telemetry collection in release versions is disabled by default (opt-in) while it is enabled by default in beta and alpha builds.

1 Like

I also disabled telemetrie. But 6.000.000.000 of sample i think must be per connection.
I do not believe that are that much FQDN’s with certificate active visited by beta users.
And if it is per connection google with youtube etc and many images will be overrated.

1 Like

How is your client going to update the certificate in rdp server? Or maybe in a router? If i enable rdp on my workstation, I like to use a valid certificate so i dont get this ms notification.

I think it is a little bit strange approach starting with the short periods. Is it not more logical to have the 1 year period (at least available) and then when your software is fully tested and operational, scale down this period?

2 Likes

The list keeps growing and still no useful reply.

It does remind me of how Robert Mugabe single handedly destroyed the economy of Zimbabwe to the benefit of only multinational mining companies but in the name of the people. I believe he was not acting as his own man. From their behaviour we can suspect that LE has also already been compromised and it is best to find an alternate way to achieve the free (long life) certificate goal.

Just a few more use cases where automation is not ideal.

With an automated system on small sites with just one sysop after a sysop change if the automation breaks there will be little knowledge in most cases of how to recover to manually issued certs. Having the cert update application provided by the cert supplier as default is pretty much a conflict of security interests. It places two significant components into the same basket. If the app fails and takes LE down with it the syop will have to learn how to manually sign in a hurry from a new CA, he may not be up to the task

Another use case relating to IoT that adds to my previous comment of limited time deployment. Yes there may not be a need to protect my pop.up toaster but what about battery operated sensors that have expected mission profiles of a couple of years and do not have reliable or regular internet access and must rely on passing hot-spots to communicate. It seems that having a certificate that is valid for the duration (39 months battery life matches the max cert lifetimes VERY nicely in my opinion) of their mission profile would make a lot more sense. Having to pay for a long life cert on a US€5 sensor does seem a bit much though.

Also please to all those citing Google use, enough already, I have not seen a single Google person come here saying they want LE certs to be 90 days, they are not shopping for free 1 years certs so they are not the target market, start listening to the potential customers.

I thought this was a bit of a quiet thread when I commented earlier and thought, do so few care, but it seems that not everyone had thought it through and now that a lively chorus has been raised LE ignores it.

As I have written somewhere else, "Quacks like a duck?"

4 Likes

I'm sorry, but you're taking it too far. Comparing Let's Encrypt to a dictator? What would be the point of compromising a free CA, when you have tens of other CAs in your jurisdiction which you could compromise just as easily (and probably already have)? CAs which do not support things like Certificate Transparency?

There seems to be a big misunderstanding in terms of what you call "ignoring" the feedback. There's been plenty of feedback to the points that were raised, both here and in the blog post on this topic. Their goals don't have to align with yours to 100%, I don't know what makes you think that should be the case.

Their goal is to push for 100% TLS deployment, with better security and better tooling. Most security experts agree that security needs automation. Most security experts agree that shorter certificate lifetimes have major benefits over long lifetimes (and that's the reason Google keeps being brought up, not because they are the target market). That is the reason they are sticking with 90 days, not because they are somehow "compromised" (and I can't believe someone would make that claim).

2 Likes