Hacker News with Generative AI: TLS

TLS certificate lifetimes will officially reduce to 47 days (digicert.com)
The CA/Browser Forum has officially voted to amend the TLS Baseline Requirements to set a schedule for shortening both the lifetime of TLS certificates and the reusability of CA-validated information in certificates. The first user impacts of the ballot take place in March 2026.

Security, Cybersecurity, TLS, Certificates, Web

512 points by crtasm 11 days ago | 675 comments

Mandatory short duration TLS certificates are probably coming soon (utoronto.ca)
The news of the time interval is that the maximum validity period for TLS certificates will be lowered to 47 days by March 2029, unless the CA/Browser Forum changes its mind (or is forced to) before then.

Security, TLS, Internet Security, Certificates, Technology

18 points by aragilar 12 days ago | 23 comments

Mandatory short duration TLS certificates are probably coming soon (utoronto.ca)
The news of the time interval is that the maximum validity period for TLS certificates will be lowered to 47 days by March 2029, unless the CA/Browser Forum changes its mind (or is forced to) before then.

Security, Cybersecurity, TLS, Certificate Authorities

11 points by throw0101a 13 days ago | 1 comments

Practical HTTPS Interception: 20 Years of SSL/TLS Interception (thc.org)
TL;DR: An attacker can trick Let's Encrypt (LE) to issue new TLS certificates for any domain that the attacker intercepts traffic for. The attacker can then decrypt the TLS traffic. This one thing that TLS is supposed to prevent from happening. The fault is that LE uses cleartext HTTP to verify the ACME-challenge (which the attacker can intercept).

Security, HTTPS, TLS, Certificates, Hacking

4 points by ementally 82 days ago | 0 comments

Major authentication providers still doesn't support TLS 1.3 (okta.com)

Security, TLS, Authentication

4 points by Alcatros552 99 days ago | 1 comments

Ask HN: TLS 1.3 and Post-Quantum Encryption for HN? (ycombinator.com)
Could HN benefit from a TLS upgrade, as it's currently at TLS v1.2, (not e.g.: v1.3) (for me, at least)? Also could it benefit from being a leader in implementing post-quantum cryptography?

Security, Cryptography, Hacker News, TLS, Post-Quantum Cryptography

15 points by Azerty9999 116 days ago | 12 comments

Using Kernel TLS (kTLS) (2023) (delthas.fr)
Traditionally, the data path for sending HTTPS traffic is:

Security, Networking, TLS, Cryptography

25 points by 1vuio0pswjnm7 119 days ago | 5 comments

We have an unusual concern when we use Let's Encrypt (utoronto.ca)
One of the bits of recent TLS news is that Let's Encrypt is going to start offering 6-day TLS certificates.

TLS, Security, Let's Encrypt

13 points by speckx 129 days ago | 3 comments

TLS certificates were almost never particularly well verified (utoronto.ca)
Recently there was a little commotion in the TLS world, as discussed in We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI.

Security, Cryptography, TLS

3 points by valyala 160 days ago | 0 comments

How to inspect TLS encrypted traffic (apnic.net)
Do you want to analyse decrypted TLS traffic in Wireshark or let an Intrusion Detection System (IDS), like Suricata, Snort or Zeek, inspect the application layer data of potentially malicious TLS encrypted traffic?

Network Security, TLS, Traffic Analysis, Intrusion Detection

14 points by belter 176 days ago | 0 comments

Rustls Outperforms OpenSSL and BoringSSL (memorysafety.org)
ISRG has been investing heavily in the Rustls TLS library over the past few years. Our goal is to create a library that is both memory safe and a leader in performance.

Rust, TLS, Performance, Security

154 points by jaas 186 days ago | 44 comments

Just want simple TLS for your .internal network? (github.com/nh2)
Safely shareable TLS root CA for .internal networks using Name Constraints

Security, .NET, Networks, TLS, Certificates

245 points by nh2 190 days ago | 141 comments

WebPKI – Introduce Schedule of Reducing Validity (Of TLS Server Certificates) (github.com/cabforum)
Subscriber Certificates issued on or after 1 September 2020 SHOULD NOT have a Validity Period greater than 397 days and MUST NOT have a Validity Period greater than 398 days.

Security, Web Certificates, TLS, Cryptography, Internet

7 points by nickf 197 days ago | 2 comments

Google calls for halting use of WHOIS for TLS domain verifications (arstechnica.com)
Certificate authorities and browser makers are planning to end the use of WHOIS data verifying domain ownership following a report that demonstrated how threat actors could abuse the process to obtain fraudulently issued TLS certificates.

Security, Cybersecurity, Domain Verification, TLS, Internet

12 points by pseudolus 217 days ago | 3 comments

Show HN: Pyrtls, rustls-based modern TLS for Python (github.com/djc)
pyrtls provides bindings to rustls, a modern Rust-based TLS implementation with an API that is intended to be easy to use to replace the ssl module (but not entirely compatible with it).

Python, TLS, Security, Rust, Open Source

22 points by dochtman 225 days ago | 1 comments

Telekom Security: Revocation delay for TLS certificates (mozilla.org)

Security, TLS, Certificates

54 points by MaKey 281 days ago | 15 comments

Telekom Security: Revocation delay for TLS certificates (mozilla.org)

Security, TLS, Certificates

7 points by asimops 281 days ago | 0 comments

Inspect TLS encrypted traffic using mitmproxy and Wireshark (koyeb.com)

Network Security, TLS, Debugging, Security Tools

39 points by wofo 291 days ago | 5 comments