Read on Twitter
In the next few hours, https://crt.sh/?id=1 will expire.
You’re going to start seeing disruptions, like https://support.roku.com/article/360049417393 , most commonly due to embedded TLS libraries being shit at chain building. That includes OpenSSL, due to https://rt.openssl.org/Ticket/Display.html?id=2634 (u/p is “guest”)
You’re going to start seeing disruptions, like https://support.roku.com/article/360049417393 , most commonly due to embedded TLS libraries being shit at chain building. That includes OpenSSL, due to https://rt.openssl.org/Ticket/Display.html?id=2634 (u/p is “guest”)
The problem is so much software assumes that certificates are a single linear chain. They aren’t. The ASCII Art in RFC 4158 should help show: they’re directed, distributed, cyclic graphs, with a wide variety of trust anchors and constraints.
Lots of embedded software doesn’t handle this. OpenSSL was, and is, fundamentally shit at verifying “real” certificates. It has a long history of not coping with the Internet, and only really handling toy/Enterprise specific CAs that are linear. But even then, not very well.
If you use Golang, you’ll be fine. If you use CryptoAPI (Windows), you should be fine, as long as AuthRoot is enabled. If you use macOS 10.11 or later, you should be fine.
Android < Honeycomb? No dice.
OpenSSL < 1.1.x? Doomed.
That includes language bindings (PHP, Python, etc)
Android < Honeycomb? No dice.
OpenSSL < 1.1.x? Doomed.
That includes language bindings (PHP, Python, etc)
As you hear of things failing, I’d love to hear about them and share them.
Because odds are, anything that fails is likely full of long-patches bugs because they aren’t actually maintaining their dependencies. Odds are, if there’s a bug bounty, there’s low-hanging fruit.
Because odds are, anything that fails is likely full of long-patches bugs because they aren’t actually maintaining their dependencies. Odds are, if there’s a bug bounty, there’s low-hanging fruit.
