I just always assumed it was like the rest of SSL:
It’s well-documented NSA saboteurs infiltrated the standards board. They forced through a bunch of bad proposals with the intention of making it overly complicated. The idea was to encourage misconfiguration and implementation bugs.
He’s referring to the leaks about NSA putting back doors into algorithms that Snowden leaked. Those algorithms were suspect from the beginning and avoided. It’s possible ones have gone undetected but that’s pure speculation without any kind of proof at this time. It’s also wholly irrelevant to this discussion and just pure FUD. Certificate expiration is needed to make certificate revocation perform well. Otherwise you need to keep the list of all certificates ever revoked whereas with expiration you can ignore checking expired certificates and more importantly revocation lists you download can prune certs that are otherwise expired anyway.
If anything, now that everything is connected to the internet you want shorter revocations (like days, weeks or months). That way the potential for abuse is shorter and the path for renewal is better trodden by organizations (ie less likely to forget about an expiring cert).
I wasn’t referring to the cryptosuite weakening. I was referring to unnecessary complexity in the SSL protocol itself, such as the whole certificate chain parsing mess, the countless opportunities to implement things vulnerable to downgrade attacks, and the overly-broad attack surface of the whole thing.
It made the rounds in the press years ago. Here’s a first person account for ipsec, which was one of the first hits I found when looking for information about the SSL weakening:
It’s describing the same tactics, but a different protocol. Honestly, just crack open the SSL spec. In hindsight, it’s pretty obvious it was intentionally over-complicated.
The Wireguard protocol attempts to fix these issues by hardcoding everything behind a protocol version number. It’s vastly easier to implement and configure properly.
It’s well-documented NSA saboteurs infiltrated the standards board. They forced through a bunch of bad proposals with the intention of making it overly complicated. The idea was to encourage misconfiguration and implementation bugs.