Notices by Andrew Ayer (agwa@follow.agwa.name)
-
Embed this notice
Andrew Ayer (agwa@follow.agwa.name)'s status on Wednesday, 08-Jan-2025 21:57:18 JST 
Andrew Ayer
Yesterday's Alpine Linux 3.21.1 release prematurely removed Entrust from the trust store, breaking TLS connections to servers using Entrust certs. They should have waited until Jan 2, 2026. Unfortunately, they vendor curl's mk-ca-bundle.pl and didn't update it after curl fixed this bug. https://gitlab.alpinelinux.org/alpine/ca-certificates/-/issues/6
Alpine is a popular base image for containers so this has the potential to be disruptive.
Background: https://sslmate.com/blog/post/entrust_distrust_more_disruptive_than_intended -
Embed this notice
Andrew Ayer (agwa@follow.agwa.name)'s status on Sunday, 01-Dec-2024 03:19:29 JST
Andrew Ayer
A Brazilian certificate authority trusted only by Microsoft has issued a presumably-unauthorized certificate for google.com: https://bugzilla.mozilla.org/show_bug.cgi?id=1934361
This can used to intercept traffic to Google from Edge and other Windows applications (except Chrome and Firefox). Hug-ops to Google folks.
Microsoft are well aware of the extensive history of problems with this CA - I emailed them my concerns in 2021, and further issues were raised during a public CCADB discussion in 2022 - but they clearly don't care. I hope this incident prompts some change; Windows users deserve better! -
Embed this notice
Andrew Ayer (agwa@follow.agwa.name)'s status on Tuesday, 12-Nov-2024 14:33:14 JST
Andrew Ayer
I looked into how non-browser clients that use the Mozilla root store (i.e. all of Linux) will handle the upcoming Entrust distrust, which is supposed to distrust certificates issued after November 30, 2024: https://sslmate.com/blog/post/entrust_distrust_more_disruptive_than_intended
Spoiler: not well -
Embed this notice
Andrew Ayer (agwa@follow.agwa.name)'s status on Tuesday, 12-Nov-2024 14:33:13 JST
Andrew Ayer
As I expected, many clients will accept Entrust certificates issued after Nov 30. But to my surprise, several providers of PEM root bundles, notably Certifi/mkcert and curl, will begin automatically omitting Entrust roots after Nov 30 - meaning previously-issued Entrust certs will stop working! This is a complete misinterpretation of Mozilla's Distrust After attribute, and will cause unexpected breakage. I have opened bugs, but I expect other consumers have also misinterpreted Distrust After, so it would be prudent to replace existing Entrust certs.
-
Embed this notice
Andrew Ayer (agwa@follow.agwa.name)'s status on Thursday, 01-Aug-2024 03:45:05 JST
Andrew Ayer
Cert Spotter lets you know if any of your certificates will be revoked in the upcoming DigiCert mass revocation. They appear in your Cert Spotter dashboard with the original expiration replaced by the revocation date.
Handy, because if you log into your DigiCert account, they just give you a list of serial numbers and expect you to figure out what certs they correspond to.
-
Embed this notice
Andrew Ayer (agwa@follow.agwa.name)'s status on Friday, 03-Nov-2023 05:14:42 JST
Andrew Ayer
@Moon Certificate Transparency allows attacks to be detected, and then browsers can distrust the CA. This won't be possible in the EU if eIDAS passes. -
Embed this notice
Andrew Ayer (agwa@follow.agwa.name)'s status on Thursday, 02-Nov-2023 23:38:12 JST
Andrew Ayer
The EU is considering a very bad law called eIDAS that would:
- Force browsers to accept government certificate authorities
- Ban additional security checks on certificates (such as Certificate Transparency) unless the EU agrees to them
This would undo 10 years of improvements to encryption on the Web and create an environment very favorable to MitM attacks.
If you're an EU citizen, consider writing to the MEP responsible for the eIDAS file, Romana JERKOVIĆ (https://www.europarl.europa.eu/meps/en/112747/ROMANA_JERKOVIC/home), to voice your concern.
Learn more at https://last-chance-for-eidas.org/ -
Embed this notice
Andrew Ayer (agwa@follow.agwa.name)'s status on Tuesday, 27-Jun-2023 04:40:14 JST
Andrew Ayer
Among the 300 DNS names still serving revoked and broken Let's Encrypt certificates (https://www.agwa.name/blog/post/last_weeks_lets_encrypt_downtime) I see:
43 Squarespace sites
14 Shopify sites
4 GitHub Pages sites
Alarming that such major Let's Encrypt integrations have no process for replacing revoked certificates.
All GNU social JP content and data are available under the