NameSilo

Root Certificate is expiring

Labeled as alert in Warnings and Alerts, started by franka46, Sep 29, 2021

Replies:
31
Views:
964

  1. franka46

    franka46 Established Member

    Posts:
    1,042
    Likes Received:
    334
    https://scotthelme.co.uk/lets-encrypt-old-root-expiration/
    On 30th September 2021, the root certificate that Let's Encrypt are currently using, the IdentTrust DST Root CA X3 certificate, will expire. You may or may not need to do anything about this Root CA expiring, but I'm betting a few things will probably break on that day so here's what you need to know!

    Anything that requires a secure connection to a particular server can stop working. Streaming platforms such as Netflix, Stan, Binge and 7plus require users to have this secure connection. It can also affect any website that requires a user to login, such as email inboxes and banking sites.
     
    The views expressed on this page by users and staff are their own, not those of NamePros.
  2. Bob Hawkes

    Bob Hawkes Top Member NameTalent VIP Gold Account Trusted Blogger

    Posts:
    7,859
    Likes Received:
    26,862
    Thanks for drawing our attention to this @franka46 .

    Quite apart from the impending expiry, and what that might or might not mean, the article is a good explanation of how security certificate systems work.

    I am following the author article on social media, and apparently some reports of failures happening. Undoubtedly more will be clear in a few hours.

    Bob
     
  3. Samer

    Samer Restricted (15-30%)

    Posts:
    11,272
    Likes Received:
    21,968
    Does this mean we will know who uses the cheap free SSL? Lol after noticing; it’s gone.

    Samer
     
  4. Paul

    Paul CTO, NamePros CTO VIP Gold Account

    Posts:
    2,209
    Likes Received:
    4,245
    This won't impact most users. It will only affect very old devices that don't know Let's Encrypt exists--devices that probably can't connect to websites like NamePros anyway.

    From what I've seen, Let's Encrypt has some of the best security of any CA, which is somewhat ironic given that others often require payment. NamePros uses Let's Encrypt.
     
  5. Samer

    Samer Restricted (15-30%)

    Posts:
    11,272
    Likes Received:
    21,968
    Thanks for the clarification, Paul.

    I’m not as technically-savvy as you, but i know this day and age: SSL is not enough.
    But it’s a start! I always assumed the ones who could afford to pay for “paid” SSL like

    EV SSL (the “best” SSL
    OV SSL (the “second best” SSL)

    DV SSL
    Wildcard SSL

    Thank you for taking time to answer.

    Samer
     
  6. Paul

    Paul CTO, NamePros CTO VIP Gold Account

    Posts:
    2,209
    Likes Received:
    4,245
    Turns out I was wrong: it did impact more users than expected due to flaws in the software that handles SSL/TLS on some devices, which is unfortunate.

    No single security measure is ever enough on its own. Security requires layers. :)

    This is debatable. There are situations in which they can be useful, but they don't affect the encryption that takes place when you visit a website--they're the same as DV in that regard.
     
  7. Future Sensors

    Future Sensors 78% of human domainers will be replaced by robots Gold Account

    Posts:
    2,410
    Likes Received:
    8,240
    It will be an item in this episode (#263)

    https://www.youtube.com/c/troyhuntdotcom/videos

     
    Last edited: Oct 1, 2021
  8. poweredbyme

    poweredbyme Top Contributor VIP

    Posts:
    1,257
    Likes Received:
    851
    My websites don't seem affected. I already know about it as I received an email about it.
    Furthermore Lets encrypt certificates renew every 60 days via cron job. I mean, in theory, a website may not stay offline longer than 60 days when there is an issue on the SSL chain which likely happen once every 20 years because the expired ones had lifetime between 2000/2001 - 2021
     
  9. Future Sensors

    Future Sensors 78% of human domainers will be replaced by robots Gold Account

    Posts:
    2,410
    Likes Received:
    8,240
    It has to be correct at the server side *and* client side (your visitors).
     
  10. poweredbyme

    poweredbyme Top Contributor VIP

    Posts:
    1,257
    Likes Received:
    851
    I have visited one of my websites, client side, it's working.
     
  11. Future Sensors

    Future Sensors 78% of human domainers will be replaced by robots Gold Account

    Posts:
    2,410
    Likes Received:
    8,240
    Okay, great. Now test it with a 5 or 8 year old device.
     
    Last edited: Oct 2, 2021
  12. poweredbyme

    poweredbyme Top Contributor VIP

    Posts:
    1,257
    Likes Received:
    851
    I visited with a 10 years old device but updated software. So I think I get your point. I don't use Windows 7 or Vista. If this is what you mean, yes I get your point.
     
  13. Future Sensors

    Future Sensors 78% of human domainers will be replaced by robots Gold Account

    Posts:
    2,410
    Likes Received:
    8,240
    Please try with (from the article)
    • PS4 game console with firmware >= 5.00
     
  14. poweredbyme

    poweredbyme Top Contributor VIP

    Posts:
    1,257
    Likes Received:
    851
    I use debian
     
  15. Future Sensors

    Future Sensors 78% of human domainers will be replaced by robots Gold Account

    Posts:
    2,410
    Likes Received:
    8,240
    That's great, and I applaud you for using OSS. But also think of visitors using Kindles, Firesticks, embedded devices (kiosk software), smart thermostats with display, IoT devices, etcetera.
     
    Last edited: Oct 2, 2021
  16. poweredbyme

    poweredbyme Top Contributor VIP

    Posts:
    1,257
    Likes Received:
    851
    Those folks are probably less than 1%. Even Windows 8 are less than 1% as of now.
    I don't bother with such a few percents. Eventually they will notice there is a problem with their devices and will look for a fix and they will eventually find a solution.
     
    Last edited: Oct 2, 2021
  17. Future Sensors

    Future Sensors 78% of human domainers will be replaced by robots Gold Account

    Posts:
    2,410
    Likes Received:
    8,240
  18. poweredbyme

    poweredbyme Top Contributor VIP

    Posts:
    1,257
    Likes Received:
    851
  19. poweredbyme

    poweredbyme Top Contributor VIP

    Posts:
    1,257
    Likes Received:
    851
    I have just checked traffic stats of my websites. There is no difference. Today and yesterday are similar to any other day. False alert.
     
  20. Future Sensors

    Future Sensors 78% of human domainers will be replaced by robots Gold Account

    Posts:
    2,410
    Likes Received:
    8,240
    It's not a false alert. As I said, it's not only about humans surfing to your website. It's also about ics, scada, iot, embedded devices, you name it. To see what I mean, read this example:

    https://community.letsencrypt.org/t/iot-devices-with-x3-certificate-embedded/140801
     
    Last edited: Oct 2, 2021
  21. Future Sensors

    Future Sensors 78% of human domainers will be replaced by robots Gold Account

    Posts:
    2,410
    Likes Received:
    8,240
  22. poweredbyme

    poweredbyme Top Contributor VIP

    Posts:
    1,257
    Likes Received:
    851
    Client side issues are related to browsers.
    This specific issue is related to how browsers react. This issue is not directly related to webservers or letsencrypt.
    If browser developers make neccessary updates to fix such an expected problem, there will be no problem. In this case, all major browsers look like already fixed an expected issue. This is what I see on my traffic stats. I don't see a problem.
     
  23. Future Sensors

    Future Sensors 78% of human domainers will be replaced by robots Gold Account

    Posts:
    2,410
    Likes Received:
    8,240
    No, TLS certificates can be used for securing email communications and a lot more than you are probably aware of.
     
    Last edited: Oct 2, 2021
  24. poweredbyme

    poweredbyme Top Contributor VIP

    Posts:
    1,257
    Likes Received:
    851
    SSH clients will not be affected. FTP and email client will be affected.
    I do not know at the time if emails are working well and I have almost no chance to know.
    Because there are dozens of mail clients running on client sides.
    Server side emails will also not affected because most servers are on linux and use the same software for sending/receiving mails.
     
  25. poweredbyme

    poweredbyme Top Contributor VIP

    Posts:
    1,257
    Likes Received:
    851
    However most people use free email providers such as google, yahoo, hotmail, etc. They have to run mail servers, So once a server is involved, a mail client possibility is out.
     

Want to reply or ask your own question?

It only takes a minute to sign up – and it's free!
NameWorth
  1. NamePros uses cookies and similar technologies. By using this site, you are agreeing to our privacy policy, terms, and use of cookies.
    Dismiss Notice
Loading...