Scott Helme Profile picture
Feb 21 18 tweets 13 min read
@fastly have been working on building their own Certificate Authority called Certainly. Their request to be included in the Mozilla Root Store was made in Aug last year [1]. Nothing unusual about that, but becoming a new Root CA is a *long* process..

[1] bugzilla.mozilla.org/show_bug.cgi?i…
I've you've attended our TLS/PKI Training [2], you'll know all about this process, but it will take a few years before the new Root CA is widely trusted.

[2] feistyduck.com/training/pract…
cc: @feistyduck @ivanristic
The first delay is getting approved by all of the Root Stores operators. The second delay is actually distributing the new Root Certificates to all clients via updates. I've talked extensively about this problem in the past! [3][4][5][6]
We know of how much of an issue this can be, specifically the distribution part, thanks to @letsencrypt and their recent deployment [7][8] of their own Root CA Certificates.

[7] scotthelme.co.uk/lets-encrypt-p…
[8] scotthelme.co.uk/lets-encrypts-…
According to the Certainly CPS [9], we will be getting two new Root CA Certificates. I doubt we will be seeing server certificates issued from these roots and being widely trusted for another few years.

[9] certainly.com/repository/Cer… Image
It all sounds very similar to @letsencrypt so far, and it is, but so is the solution to waiting years for your new Root CAs to be widely trusted/distributed. A cross-signature! [10] In an interesting twist, it seems it will be provided by @GoDaddy.

[10] groups.google.com/a/mozilla.org/…
The proposed setup for the new cross-signed Intermediates even looks very similar to the legacy setup of the @letsencrypt cross-signatures from @IdenTrustGov [11].

[11] letsencrypt.org/2020/09/17/new… Image
I'm hoping, though, that there won't be the same issues [12][13][14] for Certainly as the Let's Encrypt transition from their cross-signed intermediates to their own intermediates.

[12] scotthelme.co.uk/lets-encrypt-t…
[13] scotthelme.co.uk/lets-encrypt-p…
[14] scotthelme.co.uk/lets-encrypt-r…
This is largely because the Starfield Root CA that @GoDaddy will use for the cross-sign doesn't expire until 2037 [15][16], giving Certainly ~15 years to get their roots approved and distributed.

[15] crt.sh/?id=221795
[16] search.censys.io/certificates/2…
Contrast that to @letsencrypt who issued their Root CA in 2015 [17][18] and had their cross-signed intermediates signed by a Root CA expiring in 2021 [19][20]. They only had ~6 years to get their Root approved and distributed, and it didn't go off without a hitch... [21]
This means we shouldn't have to worry too much about the Certainly transition from their cross-signed intermediates to their own Root CA in the future as they will have plenty of time, and it should go a little more smoothly than the Let's Encrypt transition did!
One thing I don't know, but I have asked in MDSP [22] and I'm waiting for the comment to be approved, is whether or not Certainly will be a publicly accessible CA or just for use by Fastly customers.

[22] groups.google.com/a/mozilla.org/…
Maybe @fastly could even clarify that here for us? The @GoDaddy announcement of the cross-signatures doesn't exclude the possibility, but it also doesn't confirm it. It would be *awesome* to see yet another free, publicly accessible ACME CA out there!!
@fastly @GoDaddy Certainly is even built on Boulder [23], the CA software that powers Let's Encrypt!

[23] github.com/letsencrypt/bo… Image
There are currently 3 alternatives to @letsencrypt that I know of who offer free certificates via ACME [24][25][26]. Adding another one would be epic! 🔐🌍💚

[24] scotthelme.co.uk/having-a-backu…
[25] scotthelme.co.uk/introducing-an…
[26] scotthelme.co.uk/heres-another-…
cc: @buypass @zerosslHQ @sslcorp
@letsencrypt @buypass @zerosslHQ @sslcorp Update: My comment was approved, let's see what happens! groups.google.com/a/mozilla.org/…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Scott Helme

Scott Helme Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Scott_Helme

Feb 23
I'm considering changing the grading criteria on @securityheaders to allow an A+ grade with a CSP that contains unsafe-inline in the style-src directive. What are your thoughts?
This is largely because I've not seen any significant threats posed by inline styles, and, even popular frameworks like Angular require unsafe-inline in the style-src directive: angular.io/guide/security…
I'm tempted to allow the A+ because I don't want it to be unreasonable to achieve the best possible grade. I want the A+ to be the best that site operators can reasonably do to protect themselves and their visitors.
Read 5 tweets
Dec 9, 2021
It's been a while since I've had chance to sit down and produce a report on the security of the Top 1 Million sites, but thanks to @Venafi's support, the crawler project lives on and a brand new report is out! venafi.com/blog/crawler-r…
It takes a lot of resources to gather this data and a lot of time to analyse it all and write the report, so genuinely, it wouldn't have happened without them. There hasn't been a report for 18+ months so let's take a look at what changed! 😎
HTTPS adoption continues to surge 🔐📈

72% of sites in the Top 1M are now actively redirecting HTTP --> HTTPS 🤩

We're using more HTTPS right now than at any point in history... 😮
Read 14 tweets
Dec 7, 2021
Currently trying to sign in to AWS but it's borked so I decided to take a look around and found a buggy CSP. Image
They have defult-src 'none' and then specify allowed hosts, values in direct contradiction with each other. Image
Even Chrome knows it and, fortunately for them, ignores the 'none' keyword otherwise this page would look spectacularly awful. Image
Read 4 tweets
Dec 6, 2021
I'm laughing and crying at the same because this is actually how it works 🤣😭
I also recall @zeeg once talking about customers on a $50/mo sub wanting custom legal terms / NDAs / security reviews etc... but I can't find the tweet. It'd take us years to recoup the cost of onboarding them.
The latest one today is "Dear Scott, we signed up to your service and now as our supplier your are required to x, y and z". Security questionnaire, supplier questionnaire, NDA, provide various compliance certs if we have them and they need our invoices in a different format 🤷‍♂️
Read 4 tweets
Sep 29, 2021
🚨🚨🚨 5 minutes until the Let's Encrypt R3 intermediate expires 🚨🚨🚨

29 September 2021 19:21:40 UTC
TANGO DOWN 😅
Are we still here?
Read 59 tweets
Sep 29, 2021
Working with @spazef0rze is never dull... 🤣 Image
Sadly, this change did not pass our stringent review process. Image
Well.... I really did ask for this didn't I... 🤣🤣 Image
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(