With a 6 day lifetime you'd typically renew after 3 days. If Lets Encrypt is down or refuses to issue then you'd have to choose a different provider. Your browser trusts many different "top of the chain" providers.
With a 30 day cert with renewal 10-15 days in advance that gives you breathing room
Personally I think 3 days is far too short unless you have your automation pulling from two different suppliers.
Thank you, I missed the part with several "top of the chain" providers. So all of them would need to go down at the same time for things to really stop working.
How many "top of chain" providers is letsencrypt using? Are they a single point of failure in that regard?
I'd imagine that other "top of chain" providers want money for their certificates and that they might have a manual process which is slower than letsencrypt?
But in general, one of the points of ACME is to eliminate dependence on a single provider, and prevent vendor lock-in. ACME clients should ideally support multiple ACME CAs.
For example, Caddy defaults to both LE and ZeroSSL. Users can additionally configure other CAs like Google Trust Services.
“Are they a single point of failure in that regard?”
It depends. If the ACME client is configured to only use Let’s Encrypt, then the answer is yes. But the client could fall-back to Google’s CA, ZeroSSL, etc. And then there is no single point of failure.
Fundamentally, Microsoft, Google and Apple are all run by American citizens living in America. Firefox is pretty much the same.
The US has strong institutions which prevent the President or Government at large controlling these on a whim. If those institutions fail then they could all push out an update which removes all "top of chain" trusted certificate authorities other than ones approved by the US government.
In that situation the internet is basically finished as it stands now, and the OSes would be non-trustworthy anyway.
Fixing the SSL problems is the easy part, the free world would push its own root certificate out -- which people would have to manually install from a trusted source, but that's nothing compared to the real problem.
Sure, Ubuntu, Suse etc aren't based in the US, but the number of phones without a US based OS is basically zero, you'd have to start from scratch with a forked version of android which likely has NSA approved backdoors in it anyway. Non-linux based machines would also need to be wiped.
> Makes sense. I assume each of them is in control and at the whims of US president?
Absolutely not.
If the president attempted to force a US-based CA to do something bad they don't want to do, they would sue the government. So far, this administration loses 80% of the lawsuits brought against it.
You're putting a lot of trust in US institutions (courts etc). The rest of the world is starting to see them as not a strong and independent as they were once assumed.
And that's before more overt issues. Microsoft/Google/etc could sue to stop the US ordering them to do what they should. Is the CEO really willing to risk their life to do that? Be a terrible shame if their kids got caught up in a traffic accident.
I hope so, but can we really be sure that .se or .de would still work in such a scenario? Is the TLD root management really split up vertically or is the (presumably US-based) TLD parent organization also the final authority for every country TLD?
It would be nice to at least have a very high level contingency plan because in worst case I won't be able to google it.
Not sure what the exact concern is here. So far, virtually all countries on Earth are still represented in DNS. Venezuela, Iran, Somalia, etc etc.
You can also read a lot of anti-Trump articles and comments on countless web-sites, some under .com and some under other top-domains. As lunatic as Trump is, he hasn’t shut that down.
“Is the TLD root management really split up vertically”
AFAIK, yes, it is.
But if the global DNS would somehow break down I guess you either have to find an alternative set of root servers. Or communicate outside of the regular Internet. Such an event surely would shock the global economy.
Global DNS servers are spread across the world. Most are operated by America but three are operated by Sweden, Japan and Netherlands.
The majority of people use their own ISP or an anycast address from a US company (cloudflare, google, opendns). Quad9 is European.
However any split in the root dns servers signals the end of an interconnected global network. Any ISP can advertise anycast addresses into its own network, so if the US were to be cut off from the world that wouldn't be an issue per-se, but the breakdown of the internet in the western world would be a massive economic shock.
It wouldn't surprise me if it happens in the next decade or two though.
Yeah, it's a bit far fetched but after Cloudflare CEO basically threatening to cut off Italy I was wondering what would happen if US really invades Greenland.
A simple windows to linux migration is not enough. If certificates expire without a way to refresh you'd either need to manually touch every machine to swap root certificates or have some of other contingency plan.
Windows (and apple, google, mozilla) trust dozens of root certificates. I've got 148 pems in my /etc/ssl/certs directory on my laptop. 59 are from the US and thus 89 aren't. 10 are from China, 9 Germany, 7 UK. Others are India, Japan, Korea etc.
The far bigger problem is the American government forcing Microsoft/Apple/Google to push out a windows/iphone|mac/android|chrome update which removes all CAs not approved by the American government.
Canonical/Suse may be immune to such overt pressure, but once you get to that point you're way past the end of the international internet and it doesn't really matter anyway.
Remember that there are lots of CAs, and quite many of them are based outside of the US. Those CAs currently do not offer ACME services for free, but there’s nothing stopping them from doing so.
I would say that the WebPKI system seems to be quite resilient, even in the face of strong geopolitical tension.
But what risks are attached with such a short refresh?
Is there someone at the top of the certificate chain who can refuse to give out further certificates within the blink of an eye?
If yes, would this mean that within 6 days all affected certificates would expire, like a very big Denial of Service attack?
And after 6 days everybody goes back to using HTTP?
Maybe someone with more knowledge about certificate chains can explain it to me.