Hacker News with Generative AI: TLS

Ending TLS Client Authentication Certificate Support in 2026 (letsencrypt.org)
Let’s Encrypt will no longer include the “TLS Client Authentication” Extended Key Usage (EKU) in our certificates beginning in 2026. Most users who use Let’s Encrypt to secure websites won’t be affected and won’t need to take any action. However, if you use Let’s Encrypt certificates as client certificates to authenticate to a server, this change may impact you.

Security, TLS, Certificates, Let's Encrypt

61 points by pabs3 6 days ago | 53 comments

Let's Encrypt Drops "Client Authentication" (mTLS) from Its TLS Certificates (utoronto.ca)
The TLS news of the time interval is that Let's Encrypt certificates will no longer be usable to authenticate your client to a TLS server (via a number of people on the Fediverse). This is driven by a change in Chrome's "Root Program", covered in section 3.2, with a further discussion of this in Chrome's charmingly named Moving Forward, Together in the "Understanding dedicated hierarchies" section; apparently only half of the current root Certificate Authorities actually issue TLS server certificates.

Security, TLS, Certificates, Web Development, Google Chrome

8 points by pabs3 6 days ago | 1 comments

Ending TLS Client Authentication Certificate Support in 2026 (letsencrypt.org)
Let’s Encrypt will no longer include the “TLS Client Authentication” Extended Key Usage (EKU) in our certificates beginning in 2026.

Security, Certificates, TLS, Cryptography, Web Security

4 points by Dunedan 9 days ago | 4 comments

TLS certificate lifetimes will officially reduce to 47 days (digicert.com)
The CA/Browser Forum has officially voted to amend the TLS Baseline Requirements to set a schedule for shortening both the lifetime of TLS certificates and the reusability of CA-validated information in certificates. The first user impacts of the ballot take place in March 2026.

Security, Cybersecurity, TLS, Certificates, Web

512 points by crtasm 38 days ago | 675 comments

Mandatory short duration TLS certificates are probably coming soon (utoronto.ca)
The news of the time interval is that the maximum validity period for TLS certificates will be lowered to 47 days by March 2029, unless the CA/Browser Forum changes its mind (or is forced to) before then.

Security, TLS, Internet Security, Certificates, Technology

18 points by aragilar 39 days ago | 23 comments

Mandatory short duration TLS certificates are probably coming soon (utoronto.ca)
The news of the time interval is that the maximum validity period for TLS certificates will be lowered to 47 days by March 2029, unless the CA/Browser Forum changes its mind (or is forced to) before then.

Security, Cybersecurity, TLS, Certificate Authorities

11 points by throw0101a 40 days ago | 1 comments

Practical HTTPS Interception: 20 Years of SSL/TLS Interception (thc.org)
TL;DR: An attacker can trick Let's Encrypt (LE) to issue new TLS certificates for any domain that the attacker intercepts traffic for. The attacker can then decrypt the TLS traffic. This one thing that TLS is supposed to prevent from happening. The fault is that LE uses cleartext HTTP to verify the ACME-challenge (which the attacker can intercept).

Security, HTTPS, TLS, Certificates, Hacking

4 points by ementally 109 days ago | 0 comments

Major authentication providers still doesn't support TLS 1.3 (okta.com)

Security, TLS, Authentication

4 points by Alcatros552 127 days ago | 1 comments

Ask HN: TLS 1.3 and Post-Quantum Encryption for HN? (ycombinator.com)
Could HN benefit from a TLS upgrade, as it's currently at TLS v1.2, (not e.g.: v1.3) (for me, at least)? Also could it benefit from being a leader in implementing post-quantum cryptography?

Security, Cryptography, Hacker News, TLS, Post-Quantum Cryptography

15 points by Azerty9999 144 days ago | 12 comments

Using Kernel TLS (kTLS) (2023) (delthas.fr)
Traditionally, the data path for sending HTTPS traffic is:

Security, Networking, TLS, Cryptography

25 points by 1vuio0pswjnm7 147 days ago | 5 comments

We have an unusual concern when we use Let's Encrypt (utoronto.ca)
One of the bits of recent TLS news is that Let's Encrypt is going to start offering 6-day TLS certificates.

TLS, Security, Let's Encrypt

13 points by speckx 156 days ago | 3 comments

TLS certificates were almost never particularly well verified (utoronto.ca)
Recently there was a little commotion in the TLS world, as discussed in We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI.

Security, Cryptography, TLS

3 points by valyala 187 days ago | 0 comments

How to inspect TLS encrypted traffic (apnic.net)
Do you want to analyse decrypted TLS traffic in Wireshark or let an Intrusion Detection System (IDS), like Suricata, Snort or Zeek, inspect the application layer data of potentially malicious TLS encrypted traffic?

Network Security, TLS, Traffic Analysis, Intrusion Detection

14 points by belter 203 days ago | 0 comments

Rustls Outperforms OpenSSL and BoringSSL (memorysafety.org)
ISRG has been investing heavily in the Rustls TLS library over the past few years. Our goal is to create a library that is both memory safe and a leader in performance.

Rust, TLS, Performance, Security

154 points by jaas 213 days ago | 44 comments

Just want simple TLS for your .internal network? (github.com/nh2)
Safely shareable TLS root CA for .internal networks using Name Constraints

Security, .NET, Networks, TLS, Certificates

245 points by nh2 217 days ago | 141 comments

WebPKI – Introduce Schedule of Reducing Validity (Of TLS Server Certificates) (github.com/cabforum)
Subscriber Certificates issued on or after 1 September 2020 SHOULD NOT have a Validity Period greater than 397 days and MUST NOT have a Validity Period greater than 398 days.

Security, Web Certificates, TLS, Cryptography, Internet

7 points by nickf 225 days ago | 2 comments

Google calls for halting use of WHOIS for TLS domain verifications (arstechnica.com)
Certificate authorities and browser makers are planning to end the use of WHOIS data verifying domain ownership following a report that demonstrated how threat actors could abuse the process to obtain fraudulently issued TLS certificates.

Security, Cybersecurity, Domain Verification, TLS, Internet

12 points by pseudolus 244 days ago | 3 comments

Show HN: Pyrtls, rustls-based modern TLS for Python (github.com/djc)
pyrtls provides bindings to rustls, a modern Rust-based TLS implementation with an API that is intended to be easy to use to replace the ssl module (but not entirely compatible with it).

Python, TLS, Security, Rust, Open Source

22 points by dochtman 252 days ago | 1 comments

Telekom Security: Revocation delay for TLS certificates (mozilla.org)

Security, TLS, Certificates

54 points by MaKey 308 days ago | 15 comments

Telekom Security: Revocation delay for TLS certificates (mozilla.org)

Security, TLS, Certificates

7 points by asimops 309 days ago | 0 comments

Inspect TLS encrypted traffic using mitmproxy and Wireshark (koyeb.com)

Network Security, TLS, Debugging, Security Tools

39 points by wofo 319 days ago | 5 comments