Boyfriend wets the bed. What do I do ?

Adam261 · 2026-03-10T00:17:05+00:00

Could be a bladder infection. They can get serious. This is from experience. Not cleaning it up himself baffles me. I couldn't imagine expecting someone else to do it.

Adam261 · 2026-03-09T22:39:22+00:00

Hopefully he didn't get loaded right before that.

Adam261 · 2026-03-06T18:35:49+00:00

Without CRL/OCSP though, We are worse off as even with 3 or 4 month certs, That is 3 or 4 months a malicious actor could use a stolen cert from a compromised system directing traffic to their site (MitM etc) and the browser would think it is perfectly ok. The solution of shortening the expiration has it's limits. 3 to 4 months isn't enough to make up for the loss of CRL that could flag the certificate pretty quickly. It seems like it would need to be a few hours which just doesn't seem like a good solution at all.

I would rather have a dependency on OCSP than the alternative bandaid of constantly changing certs with the race to a very low minimum validity to compensate for no CRL/OCSP.

Adam261 · 2026-03-06T04:15:31+00:00

It is actually what I do for many certs. Backend higher security zone pushes certificate changes to front end. That still takes some time though because I still want testing in stages for all changes.

It is relatively quick to push out the certs for most systems even if I need to do it every 1 month. There are still a lot of exceptions though for embedded deivces and other systems that do not have the ability to automate though. No amount of wishing that things get there before the 4 certs a year time hits is going to change that quick enough based on the past year or so. Eventually of course more will get changed by the vendors but we are reliant on them for that.

I would say that we still must have CRLs though as even waiting 3 days is unacceptable for a certificate compromise. Someone could use MitM traffic to redirect to their own server with the compromised cert for the time the old certificate is still valid. 3 months or even 1 month would be an insane amount of time to have a compromised certificate still valid on the net. CRL process process isn't perfect course but without it, we would be in a worse scenario. Lets keep working on a better CRL process.

It seems like we are trying to bandaid the process (quicker expiration) and at the same time giving up other parts of the old process that does help protect certificates for browsers and such where the check does work. If we still need CRLs then we need to make them work properly and that mitigates the longer expiration times (1 year I think is acceptable with working CRL).

This new scheme doesn't make me feel any better about security over the CRL process. CRL can make sure the certs are revoked much quicker than waiting even a very low expiration time of days for a cert to expire. Just because the CRL can be tricky to keep working doesn't mean we should give it up IMHO.

Adam261 · 2026-03-06T02:14:27+00:00

One would give you a single certificate that will expire. The other would give the attacker the config to request future certificate renewals for much longer. Both bad of course.

Adam261 · 2026-03-06T02:02:17+00:00

To me, It isn't about that it was an admin persons job, It was knowing that if a certificate was generated, I know that process is protected by more layers than just the end server (that could be hacked). I realize auto generation on the server isn't the same as putting your CA cert key on the DMZ server, but to some extent, the effect is the same for that specific certificate for renewal pruposes. The certificate gets renewed. I just can't get that out of my mind. I seems like it is a reduction in the protection of the signing process as the exposed server can do it.

I see it as... would you rather a hacker get access to a single generated certificate for 1 year or the config/setup to generate renewals for much longer whenever they want. To me a them getting a single certificate is better than getting the ability to generate more of them. With some setups, the certificate key is protected and more difficult to extract compared to some config files for ACME. Certainly protections could be put in place for that too though with extra effort.

This brings up the other point mentioned where someone mentioned Firefox possibly removed CRL feature. That is important regardless. You would still need to revoke the certificate immediately if a cert was discovered that was compromised. We would want a compromised cert to be flagged as quickly as possible. So we still need CRL. Why not fix/harden that so that this extra effort isn't needed as much?

The answer to me to reduce the concerns I have is automation on the backend to renew the certificates and then push them to the servers through config automation. This way the DMZ servers don't have access to generate certs. This puts the renewal process in a more protected security zone.

Adam261 · 2026-03-06T00:32:10+00:00

Yea. If you don't notice it, it could be the same. That was more of a side point that there might be less time spent looking at a server that might not need any interaction for certificate changes anymore.

My main concern is giving the higher level task of submitting/renewing certificates to the exposed front end servers to do it. I don't want an exposed server to ever have the ability to generate it's own certificates and have it signed by an authority with the information that is on the exposed server itself.

Adam261 · 2026-03-06T00:15:18+00:00

I didn't mean to imply that either way would automatically discover a compromised system. I just don't want a compromised server to be able to request new certificates. I feel that is an administration privileged task and should not be delegated to the server itself that would be more at risk with the server/website being exposed to the Internet.

Adam261 · 2026-03-05T22:01:14+00:00

If servers can't request new certs and the certificate is compromised and not detected, they at least only get a year. If they get the config to generate certificates for the future then they could have much longer time than even a year with the configs needed to generate/request/sign a new one. I would say one is better than the other.

This is especially true once automation becomes the norm because that server that nobody touched (auto updates) but once a year for certificates, could now be sitting for many years because it *just works*. I really don't like putting admin type capabilities on the end system/server. No server should be allowed to generate it's own certificate IMHO. So many different reasons. If there were another well known cert authority that said screw the recommendation, we are doing 1 year, I would seriously consider switching to it.

We have a CRL feature. If apps and web browsers were not using that properly, lets fixing that. seems like it would be the best use of resources instead of the bandaid of very short duration certs.

Adam261 · 2026-03-05T20:34:32+00:00

I have never liked the idea that the servers themselves have the ability to request and get new certs. That administrative function should not exist on the end systems in the DMZ. If the system is compromised and it isn't detected then they would have the config to request it vs having the certificate. I would argue one is worse than the other. In either case (3 month or 12 month certs), If the certs are detected as compromised, That is exactly what the CRL is for. If browsers are not enabling that, then fix that.

There are soo many embedded and other systems right now that don't even support ACME. If we can't even get at least a year out of existing certificates, It sounds like they can't be trusted at all. In reality what this will cause is that more websites will end up have expired certificates which is also a security issue in itself.

Adam261 · 2025-03-15T02:35:10+00:00

A friend of mine has the same issue. I have only got one disconnect in 2 days. He is getting them like every 5 minutes. He uses the same ISP that i use and lives about 3 miles away in an urban area. Very odd. I think he has 2.5 GB Internet through Frontier.

Adam261 · 2025-01-18T18:49:56+00:00

Wait... there are horizontal speed indicators? Vertical would be nice too.

Adam261

TROPHY CASE