

Expired SSL certificate - chton
https://manjaro.github.io/expired_SSL_certificate/

======
thejosh
WTF, changing your PC date is not a solution! This will cause more issues.

~~~
UnoriginalGuy
A much better workaround would have been to install SuperFish as that
completely disables all certificate checking on SSL.

------
jng
What is shocking is that they still haven't found the way to properly fix it
after 3 days.

I updated some SSL certificates last week (which even required contortions
such as moving to a new issuer since some legacy software requires old-style
SHA-1 signed ones which our current one doesn't provide), and it didn't take
more than one (long) day of work.

~~~
jonathonf
It's just embarrassing.

I can only assume the sysop is on holiday.

~~~
josephmx
Checking their about page, they have 3 web developers, one of which wrote that
post. That's worrying.

~~~
vacri
The available web developers may not have access to either the SSL vendor or
where the certificate is stored. None of the front-end devs I work with have
access to either of those things.

~~~
IgorPartola
The first problem is solved by getting a new vendor. The second, well someone
has to have access to that.

------
billpg
I wonder if browsers should for (say) a week after a cert has expired, show an
error so alarms are raised, but allow the dialog to be dismissed with an OK
instead of all the "Confirm Security Exception" that would go on for a more
serious cert rejection.

~~~
drinchev
I don't agree. If this happens, same rule should apply for domain name
expiration.

~~~
ikeboy
You just made me wonder what happens if you have a cert but let the name
expire. Can you MITM your old domain until the cert expires?

~~~
icebraining
Sure, if you can get the client to connect through your machine.

~~~
ikeboy
If that's the case, shouldn't all certs only be valid until the domain
expires, and all domain name sales should require revocation of all certs?

~~~
icebraining
Sure, but how do you enforce the latter?

~~~
ikeboy
The latter can't be enforced, but individual buyers can demand that for all
known certs.

And I think you can currently get certs expiring later than the domain, which
seems wrong to me. Is there a good justification for that?

------
ntoshev
Our website monitoring service [https://t1mr.com](https://t1mr.com) will warn
you before your certificate expires (in addition to warning you when your site
is down, and giving you reports of inbound and outbound dead links).

~~~
falcolas
As does nagios' http check with the -c option. Basic monitoring helps solve so
many problems.

------
seqizz
Should we set it to 1st of April?

------
agarcia-deniz
I can't help but notice the motto:

Enjoy the simplicity

------
Karunamon
Rant mode:

If I understand right, getting a replacement cert doesn't result in a change
of the private key anyways.

It's just magically, on the expiration date, your cert is somehow insecure and
we must treat it as if YOU ARE IN DANGER!! - even though it's still better
than then plain HTTP that everyone uses every single goddamned day. Hell, a
self signed cert is better than plain HTTP, yet for some backwards-ass reason
we treat it as worse, despite the fact it makes you immune from passive
eavesdropping and any injection attacks, which the average person is a lot
more likely to run into than a self-signed cert being used by an attacker to
MITM you.

CA's are a scam and a racket. I can't wait for Mozilla's Let's Encrypt[1] to
come along and put them all out of business, hopefully before the last decade
or so of training users to ignore the wolf-crying cert warnings comes to
fruition.

Yeah, this is irresponsible on Manjaro's part, they know the rules of the
game, but the game is broken!

[1] [http://letsencrypt.org](http://letsencrypt.org)

~~~
billpg
A "passive eavesdropper" has all the information they need to become an active
man-in-the-middle. Observe the DNS query on its way out and send your own
response with your IP before the real response comes back. The client will
then make its TCP connection to that injected IP.

~~~
userbinator
_send your own response with your IP before the real response comes back_

Being able to inject traffic is not "passive".

~~~
billpg
The DNS response doesn't have to come from the same channel as the original
request. If you've got an ISP that doesn't check the source IP of what you're
sending, your target's endpoint will see your fake response and treat it as
the real one.

Where we stand now, the only thing stopping an eavesdropper from becoming a
man-in-the-middle is the will and resources of that eavesdropper.

~~~
Karunamon
Yup - but there's still a difference. Someone might just want to snoop on your
traffic rather than mess with it.

------
abofh
30 minutes, comodo reseller, seriously; You won't get SHA256, but you won't be
asking your users to hurt themselves.

------
bitJericho
Don't pretty much all browsers let you accept using an expired certificate?

~~~
jonathonf
The issue is with HSTS. If you've visited the site before you've likely cached
that SSL is required and your browser will refuse to connect. Using e.g. a
'private window' will allow it to be bypassed.

~~~
nileshtrivedi
> Using e.g. a 'private window' will allow it to be bypassed

In Firefox, yes. But not in Chrome (in my experience).

------
lauriswtf
Why is this on the frontpage?

~~~
bitJericho
Because it's kind of completely ridiculous; both the problem and the proposed
solution.

~~~
tommorris
...and the fact that it kind of suggests that you might not want to trust a
Linux distro to get security right on your boxes if they are unable to fix
their SSL certs after 3 days.

~~~
creshal
Manjaro had a rather… iffy relationship with developing a security mindset in
the past: [http://allanmcrae.com/2013/10/comparison-of-security-
issue-h...](http://allanmcrae.com/2013/10/comparison-of-security-issue-
handling/)

It appears they're not learning.

~~~
jonathonf
The two are not really related.

With regards package updates, when Arch started publishing security update
announcements Manjaro could start pushing those out faster. Delayed updates of
other upstream packages is not really an issue (e.g. Ubuntu and CentOS have
many packages that are not in sync with upstream).

------
HendrikR
This is really awesome. Why do certificates expire in the first place?

~~~
billpg
By having an expiry, revoked certs can be forgotten about once the expiry has
passed. We'd need to keep a forever growing list of revocations otherwise.

~~~
legulere
Also certs get switched to ones with stronger algorithms and longer keylengths
after expiry. You also would have to revoke old certs all the time when their
crypto isn't safe anymore.

------
andygambles
Awesome

