alert Root Certificate is expiring

[franka46]

https://scotthelme.co.uk/lets-encrypt-old-root-expiration/
On 30th September 2021, the root certificate that Let's Encrypt are currently using, the IdentTrust DST Root CA X3 certificate, will expire. You may or may not need to do anything about this Root CA expiring, but I'm betting a few things will probably break on that day so here's what you need to know!

Anything that requires a secure connection to a particular server can stop working. Streaming platforms such as Netflix, Stan, Binge and 7plus require users to have this secure connection. It can also affect any website that requires a user to login, such as email inboxes and banking sites.

 

[Bob Hawkes]

Thanks for drawing our attention to this @franka46 .

Quite apart from the impending expiry, and what that might or might not mean, the article is a good explanation of how security certificate systems work.

I am following the author article on social media, and apparently some reports of failures happening. Undoubtedly more will be clear in a few hours.

Bob

 

[Samer]

Does this mean we will know who uses the cheap free SSL? Lol after noticing; it’s gone.

Samer

 

[Paul]

Does this mean we will know who uses the cheap free SSL? Lol after noticing; it’s gone.

Samer

This won't impact most users. It will only affect very old devices that don't know Let's Encrypt exists--devices that probably can't connect to websites like NamePros anyway.

From what I've seen, Let's Encrypt has some of the best security of any CA, which is somewhat ironic given that others often require payment. NamePros uses Let's Encrypt.

 

[Samer]

This won't impact most users. It will only affect very old devices that don't know Let's Encrypt exists--devices that probably can't connect to websites like NamePros anyway.

From what I've seen, Let's Encrypt has some of the best security of any CA, which is somewhat ironic given that others often require payment. NamePros uses Let's Encrypt.

Thanks for the clarification, Paul.

I’m not as technically-savvy as you, but i know this day and age: SSL is not enough.
But it’s a start! I always assumed the ones who could afford to pay for “paid” SSL like

EV SSL (the “best” SSL
OV SSL (the “second best” SSL)

DV SSL
Wildcard SSL

Thank you for taking time to answer.

Samer

 

[Paul]

Thanks for the clarification, Paul.

Turns out I was wrong: it did impact more users than expected due to flaws in the software that handles SSL/TLS on some devices, which is unfortunate.

SSL is not enough.

No single security measure is ever enough on its own. Security requires layers.

EV SSL (the “best” SSL
OV SSL (the “second best” SSL)

This is debatable. There are situations in which they can be useful, but they don't affect the encryption that takes place when you visit a website--they're the same as DV in that regard.

 

[Future Sensors]

It will be an item in this episode (#263)

https://www.youtube.com/c/troyhuntdotcom/videos

https://twitter.com/x/status/1444054709778538496

 

[poweredbyme]

My websites don't seem affected. I already know about it as I received an email about it.
Furthermore Lets encrypt certificates renew every 60 days via cron job. I mean, in theory, a website may not stay offline longer than 60 days when there is an issue on the SSL chain which likely happen once every 20 years because the expired ones had lifetime between 2000/2001 - 2021

 

[Future Sensors]

My websites don't seem affected. I already know about it as I received an email about it.
Furthermore Lets encrypt certificates renew every 60 days via cron job. I mean, in theory, a website may not stay offline longer than 60 days when there is an issue on the SSL chain which likely happen once every 20 years because the expired ones had lifetime between 2000/2001 - 2021

It has to be correct at the server side *and* client side (your visitors).

 

[poweredbyme]

It has to be correct at the server side *and* client side (your visitors).

I have visited one of my websites, client side, it's working.

 

[Future Sensors]

I have visited one of my websites, client side, it's working.

Okay, great. Now test it with a 5 or 8 year old device.

 

[poweredbyme]

Okay, great. Now test it with a 5 or 8 year old device.

I visited with a 10 years old device but updated software. So I think I get your point. I don't use Windows 7 or Vista. If this is what you mean, yes I get your point.

 

[Future Sensors]

I visited with a 10 years old device but updated software. So I think I get your point. I don't use Windows 7 or Vista. If this is what you mean, yes I get your point.

Please try with (from the article)

• PS4 game console with firmware >= 5.00

 

[poweredbyme]

Please try with (from the article)

• PS4 game console with firmware >= 5.00

I use debian

 

[Future Sensors]

I use debian

That's great, and I applaud you for using OSS. But also think of visitors using Kindles, Firesticks, embedded devices (kiosk software), smart thermostats with display, IoT devices, etcetera.

 

[poweredbyme]

That's great, and I applaud you for using OSS. But also think of visitors using Kindles, Firesticks, embedded devices (kiosk software), smart thermostats with display, etcetera.

Those folks are probably less than 1%. Even Windows 8 are less than 1% as of now.
I don't bother with such a few percents. Eventually they will notice there is a problem with their devices and will look for a fix and they will eventually find a solution.

 

[Future Sensors]

Those folks are probably less than 1%. Even Windows 8 are less than 1% as of now.
I don't bother with such a few percents. Eventually they will notice there is a problem with their devices and will look for a fix and they will eventually find a solution.

I'm glad you don't worry.

https://www.techgamingreport.com/mi...ws-and-iphone-users-can-lose-internet-access/

 

[poweredbyme]

I'm glad you don't worry.

https://www.techgamingreport.com/mi...ws-and-iphone-users-can-lose-internet-access/

Ok then I should check my traffic stats if there is a sudden drop. Thanks.
If there is a sudden drop, I hope forced renews of letsencrypt can fix.

 

[poweredbyme]

I have just checked traffic stats of my websites. There is no difference. Today and yesterday are similar to any other day. False alert.

 

[Future Sensors]

I have just checked traffic stats of my websites. There is no difference. Today and yesterday are similar to any other day. False alert.

It's not a false alert. As I said, it's not only about humans surfing to your website. It's also about ics, scada, iot, embedded devices, you name it. To see what I mean, read this example:

https://community.letsencrypt.org/t/iot-devices-with-x3-certificate-embedded/140801

 

[Future Sensors]

https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry/

 

[poweredbyme]

Client side issues are related to browsers.
This specific issue is related to how browsers react. This issue is not directly related to webservers or letsencrypt.
If browser developers make neccessary updates to fix such an expected problem, there will be no problem. In this case, all major browsers look like already fixed an expected issue. This is what I see on my traffic stats. I don't see a problem.

 

[Future Sensors]

Client side issues are related to browsers.

No, TLS certificates can be used for securing email communications and a lot more than you are probably aware of.

 

[poweredbyme]

No, TLS certificates can be used for securing email communications and a lot more than you are probably aware of.

SSH clients will not be affected. FTP and email client will be affected.
I do not know at the time if emails are working well and I have almost no chance to know.
Because there are dozens of mail clients running on client sides.
Server side emails will also not affected because most servers are on linux and use the same software for sending/receiving mails.

 

[poweredbyme]

However most people use free email providers such as google, yahoo, hotmail, etc. They have to run mail servers, So once a server is involved, a mail client possibility is out.