My Authors
Read all threads
Expiring on a specific date is dumb. What's the best alternative? Logging to a file somewhere? Warning messages to user? I like this idea: increasing delays.
So just use 20 year expiration? I'm not sure this is a good idea because (a) why have them expire at all then? and (b) that just means in 20 years the failure will be really catastrophic as there's nobody around who remembers what the thing does
So, why is expiring HTTPS worse than HTTP? The answer is that an HTTP site doesn't want encryption, but an HTTPS site does. Thus, if HTTPS fails for whatever reason, backing off to HTTP would be bad.
We saw that in the early days of "sidejacking" back in 2007: HTTPS failed for a lot of reasons, such as on slow satellite links, so Google would backoff and try the connections with HTTP, allowing us to intercept cookies. They had to fix that.
Now I'm a big fan of "opportunistic encryption" going the other way, that all links with "HTTP" should maybe try "HTTPS" first, and if available, use that, even if the certificate is self-signed. Buf if HTTP should go forward, still HTTPS should never go backward.
By the way, we should remember that LetsEncrypt takes the opposite approach with expiration: fixing the problem by making expiration really short. This means you automate the process. Instead of doing it manually every 5 years, you do it automatically and stop worrying about it.
As this tweet points out, trust on first use works really well for SSH. In many ways, SSH and SSL are two alternatives for the same protocol.
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Robᵉʳᵗ Graham

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!