Jerry on MastodonJan 16

Short-lived (6-day expiration) TLS certificates are now available from #LetsEncrypt for those feeling comfortable using them. IP Address certificates are also now available.

https://letsencrypt.org/2026/01/15/6day-and-ip-general-availability.html

#TLSCertificates #CyberSecurity

6-day and IP Address Certificates are Generally Available

Update: March 11, 2026 If you use Certbot, see Six-Day and IP Address Certificates Available in Certbot for details on requesting these certificates. Short-lived and IP address certificates are now generally available from Let’s Encrypt. These certificates are valid for 160 hours, just over six days. In order to get a short-lived certificate subscribers simply need to select the ‘shortlived’ certificate profile in their ACME client. Short-lived certificates improve security by requiring more frequent validation and reducing reliance on unreliable revocation mechanisms. If a certificate’s private key is exposed or compromised, revocation has historically been the way to mitigate damage prior to the certificate’s expiration. Unfortunately, revocation is an unreliable system so many relying parties continue to be vulnerable until the certificate expires, a period as long as 90 days. With short-lived certificates that vulnerability window is greatly reduced.

rexiMar 25, 2025

https://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/

"In 2024, we received a tip from a collaborator about a single piece of infrastructure: a domain name pointing to a server that also returned several distinctive self-signed #TLScertificates… including various pieces of missing information and a distinctive naming scheme…we found 150 related certificates on Censys2 with approximately half of the certificates actively served on IP addresses…consistent with a dedicated command and control infrastructure…"

#spyware

Virtue or Vice? A First Look at Paragon’s Proliferating Spyware Operations - The Citizen Lab

In our first investigation into Israel-based spyware company, Paragon Solutions, we begin to untangle multiple threads connected to the proliferation of Paragon's mercenary spyware operations across the globe. This report includes an infrastructure analysis of Paragon’s spyware product, called Graphite; a forensic analysis of infected devices belonging to members of civil society; and a closer look at the use of Paragon spyware in both Canada and Italy.

The Citizen Lab
PPC LandDec 25, 2024
Chrome and Mozilla to distrust Entrust TLS Certificates in late 2024: Major web browsers announce plans to stop trusting Entrust's public TLS certificates due to compliance concerns, impacting website security. https://ppc.land/chrome-and-mozilla-to-distrust-entrust-tls-certificates-in-late-2024/?utm_source=dlvr.it&utm_medium=mastodon #CyberSecurity #TLSCertificates #WebBrowsers #Entrust #Privacy
Chrome and Mozilla to distrust Entrust TLS Certificates in late 2024

Major web browsers announce plans to stop trusting Entrust's public TLS certificates due to compliance concerns, impacting website security.

PPC Land
Show threadBitwiperJul 15, 2024

@jscalzi : please stop using a http links if websites support https.

By specifying https://vote.org (or https://vote.org/ which gives the same result) in a link, or by typing https://vote.org in the address bar of your browser, there are three possibilities:

1) the browser connects to the _real_ vote.org website;

2) the browser displays a certificate error (never continue in such a case);

3) extemely unlikely (see [1]): the browser connects to a fake website that managed to obtain a valid certificate for the vote.org domain name.

(Note: I used the Unicode '/' character instead of the regular slash char '/' to prevent Mastodon from hiding the protocol).

By default, _none_ of the popular web browsers prevents active (i.e. not passive) criminals from successfully conducting Man-in-the-Middle attacks - if the first connection-attempt uses http.

Most browsers _may_ TRY https first, but an attacker can block that request, forcing the browser to downgrade to http (if the user explicitly requested https, such a downgrade to http will _not_ happen).

Such attacks can be conducted in various ways, such as by using an "evil twin" WiFi access point (https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/) or by manipulating DNS replies to browsers.

Note: the domain "vote.org" is currently _not_ listed in the HSTS preload list (apparently it was removed because of stupidities): https://hstspreload.org/?domain=vote.org (being listed would _force_ browsers to use https, even if "the user" requested http by tapping on such a link).

See also the unnecessarily poor results in https://internet.nl/site/vote.org/2883671/

Unfortunately also @BleepingComputer regularly uses unnecessary http links in their articles.

[1] More info: https://infosec.exchange/@Bitwiper/112779974228111155

@adamshostack

#http #https #httpsvshttp#httpvshttps #AitM #MitM #EvilTwin #DNS #DNSAttacks #DV #DomainValidated #DomainValidation #Certificates #TLSCertificates #httpsCertificates #httpsServerCertificates #ServerCertificates #Authentication #Impersonation

Everything You Need to Vote - Vote.org

Register to vote. Check your registration status. Get your absentee ballot. Fast, free, easy, secure, nonpartisan.

PrivacyDigestApr 28, 2023

@eff Now Has #Tor Onions

Today, we’re announcing .onion addresses for eff.org and two of its affiliated projects: #Certbot, an EFF-developed tool for automatically obtaining and renewing #TLS certificates for websites, and #SurveillanceSelfDefense , which provides resources and guidance for individuals and organizations to protect themselves from #surveillance and other #security threats.
#privacy #tlscertificates

https://www.eff.org/deeplinks/2023/04/eff-now-has-tor-onions

EFF Now Has Tor Onions

Today, we’re announcing .onion addresses for eff.org and two of its affiliated projects: Certbot, an EFF-developed tool for automatically obtaining and renewing TLS certificates for websites, and Surveillance Self-Defense, which provides resources and guidance for individuals and organizations to...

Electronic Frontier Foundation
Esther SchindlerMar 21, 2023
Redis is changing some of its security practices. Here is what you need to know to ensure a smooth transition. #tlscertificates #redis
https://redis.com/blog/redis-short-lived-tls-certificates/
Redis Cloud Introduces Short-Lived TLS Certificates | Redis

We’re changing some of our security practices. Here is what you need to know to ensure a smooth transition.

Redis
ITSEC NewsFeb 24, 2020
Apple chops Safari’s TLS certificate validity down to one year - From 1 September 2020, Safari will no longer trust SSL/TLS certificates with more than a year on t... more: https://nakedsecurity.sophos.com/2020/02/24/apple-chops-safaris-tls-certificate-validity-down-to-one-year/ #certificateauthorities #securitythreats #ca/browserforum #tlscertificates #cryptography #applesafari #webbrowsers #privacy #ssl/tls #google #safari #apple #https #sha-1 #tls
Apple chops Safari’s TLS certificate validity down to one year

Naked Security