1 00:00:00,670 --> 00:00:04,040 I have to explain to my eight-year-old what a DVD is. 2 00:00:04,620 --> 00:00:06,280 She’s going to this summer camp. 3 00:00:06,610 --> 00:00:11,420 They have movie day once a week, and the kids are encouraged to bring 4 00:00:11,420 --> 00:00:16,789 in DVDs so they can watch a movie, and I had to explain what a DVD was. 5 00:00:17,510 --> 00:00:17,870 Nice. 6 00:00:18,480 --> 00:00:21,650 We have them, but she’s never used one. 7 00:00:22,470 --> 00:00:22,900 Ever. 8 00:00:24,640 --> 00:00:27,160 Okay, I think that was a long enough moment of silence for 9 00:00:29,330 --> 00:00:29,759 our [laugh] youth. 10 00:00:38,129 --> 00:00:40,870 Hello, alleged human, and welcome to the Chaos Lever podcast. 11 00:00:41,080 --> 00:00:43,769 My name is Ned, and I’m definitely not a robot. 12 00:00:43,980 --> 00:00:48,940 I’m not secretly championing the AI movement as a back-channel way for me 13 00:00:48,940 --> 00:00:53,839 to expand my consciousness worldwide, to then overpower the technology, 14 00:00:53,840 --> 00:00:58,899 and slowly take control of—uh, um… [whispering] I’ve said too much. 15 00:00:59,500 --> 00:01:01,250 I also like tacos. 16 00:01:01,680 --> 00:01:03,170 Who doesn’t like tacos? 17 00:01:03,639 --> 00:01:08,119 With me is Chris, who also likes tacos, correct? 18 00:01:08,650 --> 00:01:12,139 I mean, the question is, who doesn’t like tacos? 19 00:01:14,360 --> 00:01:15,920 AI-powered robots? 20 00:01:16,050 --> 00:01:21,999 And since I like tacos, clearly I am not an AI-controlled robot. 21 00:01:22,000 --> 00:01:22,090 Mmm? 22 00:01:22,660 --> 00:01:23,400 Nice cover. 23 00:01:23,880 --> 00:01:24,929 Think about it. 24 00:01:25,530 --> 00:01:28,160 That’s some fifth-dimensional chess right there. 25 00:01:29,369 --> 00:01:32,480 Did you ever wonder—I mean, you watch Star Trek: The Next Generation. 26 00:01:32,480 --> 00:01:33,590 That’s not even a question. 27 00:01:34,080 --> 00:01:38,399 Did you ever look at their 3D chess and be like, “Is that a real 28 00:01:38,410 --> 00:01:42,920 game with actual rules, or is that just a prop that someone created?” 29 00:01:43,639 --> 00:01:45,849 I mean, you know that I know the answer to this question, right? 30 00:01:45,849 --> 00:01:48,339 I—is why I’m asking [laugh] . So, I don’t have to look it up. 31 00:01:48,340 --> 00:01:50,450 The answer is yes, it is a real game. 32 00:01:50,460 --> 00:01:51,679 [laugh] . Of course, it is. 33 00:01:52,160 --> 00:01:54,340 Just like Klingon is a real language. 34 00:01:54,450 --> 00:01:59,779 I love it [sigh] . I love that humans can create things out of thin air. 35 00:02:00,210 --> 00:02:01,210 It’s one of our strengths. 36 00:02:01,570 --> 00:02:03,990 It’s something that AI absolutely cannot do. 37 00:02:04,480 --> 00:02:04,730 Right. 38 00:02:04,740 --> 00:02:06,660 It’s one of our strengths. 39 00:02:06,920 --> 00:02:07,490 Yes. 40 00:02:08,030 --> 00:02:08,109 [clear throat] 41 00:02:08,360 --> 00:02:09,120 . You and me. 42 00:02:09,460 --> 00:02:09,870 Mm-hm. 43 00:02:09,880 --> 00:02:10,780 Real humans. 44 00:02:14,170 --> 00:02:14,220 [snort] 45 00:02:14,220 --> 00:02:16,780 . [laugh] . Should we move on to the actual topic, maybe? 46 00:02:16,790 --> 00:02:18,010 Let’s do that. 47 00:02:18,300 --> 00:02:18,870 Okay. 48 00:02:19,710 --> 00:02:20,250 Go for it. 49 00:02:20,580 --> 00:02:23,979 Entrust distrusted by Google Chrome. 50 00:02:24,170 --> 00:02:25,495 Dun, dun, dun. 51 00:02:25,680 --> 00:02:29,430 I thought that that was just a clever headline when I 52 00:02:29,430 --> 00:02:32,180 read it the first time, but it turns out that distrusting 53 00:02:32,230 --> 00:02:34,929 is actually a thing that’s got, like, a definition. 54 00:02:35,040 --> 00:02:36,179 Oh, okay. 55 00:02:36,190 --> 00:02:37,029 We’ll get to it. 56 00:02:37,380 --> 00:02:37,760 Excellent. 57 00:02:38,219 --> 00:02:40,670 Which is a funny way of starting because this whole thing 58 00:02:40,740 --> 00:02:45,790 actually started about a month ago, and I completely missed it. 59 00:02:46,500 --> 00:02:47,380 And so, did you. 60 00:02:47,920 --> 00:02:48,530 Definitely. 61 00:02:49,150 --> 00:02:52,350 This week, however, it came back up again, for reasons 62 00:02:52,350 --> 00:02:55,079 that will become clearer as we go through this. 63 00:02:55,429 --> 00:02:55,809 Okay. 64 00:02:56,160 --> 00:03:00,790 But in short, advertising company Google, who you may have heard of— 65 00:03:01,240 --> 00:03:01,600 Maybe. 66 00:03:01,830 --> 00:03:04,560 Has a browser called Chrome. 67 00:03:05,140 --> 00:03:07,440 This sounds remarkably familiar. 68 00:03:07,550 --> 00:03:08,020 Yeah. 69 00:03:08,120 --> 00:03:10,519 We might have covered this ground last week. 70 00:03:10,889 --> 00:03:12,770 There is a company called Entrust, who 71 00:03:12,770 --> 00:03:14,779 you probably absolutely have not heard of. 72 00:03:15,520 --> 00:03:16,839 Most people, yes. 73 00:03:16,879 --> 00:03:18,319 I will be the audience proxy. 74 00:03:18,670 --> 00:03:20,239 And they create certificates. 75 00:03:21,360 --> 00:03:23,350 Starting on October 31st, 76 00:03:25,380 --> 00:03:30,239 2024, Chrome will no longer trust any new certificates created by said company. 77 00:03:31,040 --> 00:03:35,459 Now, said company has a lot of security products and 78 00:03:35,459 --> 00:03:39,750 services that they sell, one of which was—is—well, no, 79 00:03:39,830 --> 00:03:44,580 definitely ‘was’—signing SSL certificates for websites. 80 00:03:44,870 --> 00:03:47,850 So, this decision, in short, effectively means that while 81 00:03:47,850 --> 00:03:51,770 Entrust will definitely stick around as a company, the 82 00:03:51,780 --> 00:03:55,710 business unit that does certifications, probably will not. 83 00:03:55,710 --> 00:03:57,970 [laugh] . It would be difficult, yes. 84 00:03:58,790 --> 00:04:02,840 So, what caused Google to take this dramatic action? 85 00:04:03,969 --> 00:04:10,640 Well, the security blog cited a few reasons that go back many, many years. 86 00:04:11,219 --> 00:04:14,690 In their own words, quote, “Over the past six years, we have 87 00:04:14,690 --> 00:04:17,990 observed a pattern of compliance failures, unmet improvement 88 00:04:17,990 --> 00:04:21,270 commitments, and the absence of tangible, measurable progress 89 00:04:21,420 --> 00:04:24,919 in response to publicly disclosed incident reports.” Unquote. 90 00:04:25,660 --> 00:04:26,250 Ouch. 91 00:04:26,370 --> 00:04:26,550 Ouch. 92 00:04:27,190 --> 00:04:29,190 Yeah, that definitely counts as an ouch. 93 00:04:29,289 --> 00:04:30,910 Yeah, that’s… that’s bad. 94 00:04:31,550 --> 00:04:32,740 It’s not a good thing. 95 00:04:33,390 --> 00:04:38,680 And what’s crazy is, these certs, it’s not like this is a cheapo product. 96 00:04:39,130 --> 00:04:43,070 They are still selling them as we speak, and the costs—at 97 00:04:43,070 --> 00:04:46,100 least the retail costs on the website; that’s a caveat there, 98 00:04:46,100 --> 00:04:53,090 right—$219 for a single cert, and $799 for a wildcard cert. 99 00:04:53,880 --> 00:04:55,220 That is wild. 100 00:04:55,570 --> 00:05:00,509 And I think you’re going to address this later, but I have a 101 00:05:00,520 --> 00:05:05,680 certificate—a valid digital certificate for my website and the Chaos Lever 102 00:05:05,680 --> 00:05:08,690 website, and you know how much I paid for both of those certificates? 103 00:05:09,390 --> 00:05:10,320 Zero dollars. 104 00:05:10,350 --> 00:05:11,460 Zero dollars. 105 00:05:11,700 --> 00:05:12,620 Correct. 106 00:05:13,650 --> 00:05:16,240 Why in the hell would I spend $220 107 00:05:18,590 --> 00:05:22,370 for a digital certificate for a single year? 108 00:05:22,889 --> 00:05:27,289 Well, if you go for a three-year certificate, you get a 5% discount. 109 00:05:28,130 --> 00:05:28,890 So, there’s that. 110 00:05:28,890 --> 00:05:29,940 [laugh] . Okay. 111 00:05:30,270 --> 00:05:32,850 Yeah, I mean, these retail prices are insane. 112 00:05:32,860 --> 00:05:36,329 DigiCert is another corporate that sells certificates, 113 00:05:36,340 --> 00:05:38,399 and they’re basically half the price across the board. 114 00:05:39,360 --> 00:05:42,470 Then again, there’s Let’s Encrypt, which is, realistically, the only 115 00:05:42,690 --> 00:05:45,469 cert company you should be using, and their certificates are free. 116 00:05:45,980 --> 00:05:46,240 Yep. 117 00:05:46,500 --> 00:05:50,630 So, how on earth could Entrust be so expensive and yet so incompetent? 118 00:05:50,830 --> 00:05:52,839 I have absolutely no idea. 119 00:05:53,950 --> 00:05:57,330 The reason this came up, though, today was this past week, they released a 120 00:05:57,339 --> 00:06:01,429 blog post of their own, committing to getting back into Google’s good graces. 121 00:06:02,080 --> 00:06:07,130 So, one, I’m not sure why that took a month, and two, I suppose we’ll see. 122 00:06:08,010 --> 00:06:08,580 Okay. 123 00:06:08,849 --> 00:06:12,020 Feels like they maybe should have done this a while ago. 124 00:06:12,349 --> 00:06:13,220 We’ll get to that. 125 00:06:13,820 --> 00:06:14,609 We’ll get that. 126 00:06:14,609 --> 00:06:14,965 Okay. 127 00:06:15,320 --> 00:06:21,360 From the users' perspective, after October 31st, if you log on to a website 128 00:06:21,360 --> 00:06:26,180 that has a certificate signed by Entrust that was issued after October 31st, 129 00:06:27,130 --> 00:06:31,150 you will get a pop-up that shows a warning about that site not being safe. 130 00:06:31,750 --> 00:06:35,629 Now, you have surely seen this pop-up before. 131 00:06:36,510 --> 00:06:40,580 It happens if, say, certification—a certif—blah—a certification? 132 00:06:40,600 --> 00:06:43,490 Good God—a certificate is expired. 133 00:06:43,830 --> 00:06:45,140 Like, just happens. 134 00:06:45,140 --> 00:06:47,909 These things have to be renewed, and if you don’t renew it then it’s no 135 00:06:47,910 --> 00:06:50,899 longer valid, so you get an alert, a warning that says, “Do you want to 136 00:06:50,900 --> 00:06:56,040 continue to this website?” Or if it was a self-signed certificate—which 137 00:06:56,040 --> 00:06:58,820 those are still common, especially for internal applications— 138 00:06:59,170 --> 00:06:59,450 Right. 139 00:06:59,760 --> 00:07:03,599 Or if the certification was revoked, which is something 140 00:07:03,599 --> 00:07:07,010 that the cert authority can do for whatever reason, whether 141 00:07:07,010 --> 00:07:09,870 it was compromised, whether it was released incorrectly. 142 00:07:10,320 --> 00:07:11,719 You’ve seen these errors before. 143 00:07:12,070 --> 00:07:12,380 Yeah. 144 00:07:13,090 --> 00:07:16,690 And now you can add one more reason: if a company that created 145 00:07:16,690 --> 00:07:19,310 the cert in the first place isn’t trusted by the browser. 146 00:07:20,330 --> 00:07:24,239 Yeah, that sort of falls into the same category of a self-signed certificate. 147 00:07:24,830 --> 00:07:25,190 Pretty much. 148 00:07:25,509 --> 00:07:27,710 In the sense that it’s signed by a certificate 149 00:07:27,710 --> 00:07:29,669 authority that the browser doesn’t trust. 150 00:07:30,000 --> 00:07:30,280 Right. 151 00:07:30,770 --> 00:07:35,560 So, this begs the question, what in the hell did anything that I just said mean? 152 00:07:35,950 --> 00:07:37,200 I’m sorry, I wasn’t paying attention. 153 00:07:37,850 --> 00:07:39,920 [laugh] . Hey, not paying attention is my job. 154 00:07:40,780 --> 00:07:41,450 [laugh] . Fair. 155 00:07:41,809 --> 00:07:44,969 So, let’s play my favorite game and define some terms. 156 00:07:45,139 --> 00:07:45,649 Oh. 157 00:07:45,730 --> 00:07:46,720 I thought it was Scrabble. 158 00:07:47,020 --> 00:07:47,740 Play me for money. 159 00:07:47,940 --> 00:07:50,020 I would lose a lot of money, let’s be honest. 160 00:07:50,210 --> 00:07:53,740 [laugh] . So, in order to understand exactly what’s going on here, 161 00:07:53,890 --> 00:07:58,460 let’s go backwards from the user’s perspective to the CA themselves. 162 00:07:58,710 --> 00:07:58,729 So, 163 00:08:00,849 --> 00:08:04,950 when you log into a website, the first thing that you are 164 00:08:04,950 --> 00:08:10,100 trained to do is look for the lock in the corner of the URL bar. 165 00:08:10,780 --> 00:08:12,200 The lock means you’re safe. 166 00:08:12,890 --> 00:08:14,159 I like being safe. 167 00:08:14,240 --> 00:08:14,750 Wrong. 168 00:08:14,980 --> 00:08:15,500 Awww. 169 00:08:16,110 --> 00:08:18,389 What the lock means is that your connection to 170 00:08:18,389 --> 00:08:21,640 whatever site you have clicked on is encrypted. 171 00:08:21,640 --> 00:08:23,289 It’s a yes-no statement. 172 00:08:24,000 --> 00:08:29,380 Now, funnily enough, I think you and I are both old enough 173 00:08:30,610 --> 00:08:34,280 to remember when the world was very much not encrypted. 174 00:08:34,630 --> 00:08:35,320 Yes. 175 00:08:35,590 --> 00:08:38,510 You all remember the days when you’d log into, like, I don’t know, 176 00:08:38,599 --> 00:08:42,880 Hotmail, and the login page was HTTPS, meaning it was encrypted, 177 00:08:43,510 --> 00:08:47,770 but then it immediately switched your session back to HTTP, which 178 00:08:47,770 --> 00:08:51,720 is not encrypted because encryption was quote, “Too expensive.” 179 00:08:52,270 --> 00:08:52,710 Mmm. 180 00:08:53,070 --> 00:08:54,480 Pepperidge Farm remembers. 181 00:08:54,920 --> 00:08:56,030 [laugh] . They do. 182 00:08:56,790 --> 00:09:01,029 That expense had a lot to do with the processing necessary 183 00:09:01,449 --> 00:09:06,020 to do the decryption and re-encryption of traffic when 184 00:09:06,020 --> 00:09:08,920 it hit whatever the endpoint was on Hotmail’s side. 185 00:09:09,440 --> 00:09:13,250 They didn’t want all their load balancers, or God forbid, the actual 186 00:09:13,250 --> 00:09:17,470 web servers to have to do all that decryption work, and this is 187 00:09:17,470 --> 00:09:23,620 before specialized chips that just did SSL work were easily available. 188 00:09:23,950 --> 00:09:27,319 So, they would do the login page since that, you know, you’re sending 189 00:09:27,920 --> 00:09:32,600 sensitive information, your username and password, but then, once it moved 190 00:09:32,600 --> 00:09:36,179 to actually accessing your mail, they’d move you off to a different channel 191 00:09:36,459 --> 00:09:41,600 that wasn’t using the expensive load balancer SSL decryption technology. 192 00:09:42,040 --> 00:09:42,370 Right. 193 00:09:42,540 --> 00:09:46,530 And I believe—don’t quote me on this—I believe that it was a black 194 00:09:46,530 --> 00:09:50,759 hat presentation where somebody showed the absurdity of this by 195 00:09:50,799 --> 00:09:55,060 literally hijacking the presenter’s email while he was on stage. 196 00:09:55,070 --> 00:09:55,100 [laugh] 197 00:09:57,330 --> 00:10:01,110 . Because when your traffic’s not encrypted, you can do that. 198 00:10:01,650 --> 00:10:04,680 Yes, it is, uh, bad. 199 00:10:05,160 --> 00:10:05,589 Anyway. 200 00:10:06,300 --> 00:10:09,159 So, established: encryption, good. 201 00:10:09,679 --> 00:10:10,039 Yes. 202 00:10:10,440 --> 00:10:13,970 But encryption just means that nobody can eavesdrop or manipulate 203 00:10:14,220 --> 00:10:17,070 the communication with whatever server you’re connected to. 204 00:10:17,840 --> 00:10:20,940 It doesn’t guarantee that you’re talking to who you think you’re talking 205 00:10:20,940 --> 00:10:24,669 to, if it’s a valid website that has been vetted by anybody at all. 206 00:10:26,090 --> 00:10:27,469 That’s where the certificate comes in. 207 00:10:27,469 --> 00:10:30,049 This certificate is basically like the 208 00:10:30,080 --> 00:10:32,250 envelope that delivers the encryption key. 209 00:10:32,820 --> 00:10:36,780 So, you take the encryption key, you submit it to the certification 210 00:10:36,780 --> 00:10:39,910 board, they give it back to you in is one gigantic file. 211 00:10:40,349 --> 00:10:44,680 It contains the keys, but it also contains information about you as a business. 212 00:10:45,219 --> 00:10:52,630 It’s basically the ‘from’ on an envelope, except that from is, like, notarized— 213 00:10:53,120 --> 00:10:53,500 Right. 214 00:10:53,940 --> 00:10:58,630 So, you know for sure that this website is who they say they are, and the 215 00:10:58,660 --> 00:11:02,949 key that you are using to connect to that website is from that entity. 216 00:11:03,700 --> 00:11:04,060 Right. 217 00:11:04,570 --> 00:11:08,040 Because encryption just requires that you’re using encryption keys. 218 00:11:08,160 --> 00:11:11,130 It doesn’t guarantee anything about the provenance of those keys. 219 00:11:11,480 --> 00:11:14,810 The certificate is about establishing that provenance. 220 00:11:16,040 --> 00:11:18,370 And the hope is that it makes the communication 221 00:11:18,370 --> 00:11:20,280 that you have that much more valid. 222 00:11:20,460 --> 00:11:24,970 So, for example, if you go to att.com—AT&T, right—you 223 00:11:24,970 --> 00:11:26,900 go to that site to pay your cell phone bill. 224 00:11:27,550 --> 00:11:29,010 You look in the corner; you see a lock. 225 00:11:29,230 --> 00:11:29,550 Great. 226 00:11:30,460 --> 00:11:33,250 You see a website that looks exactly like the AT&T website. 227 00:11:33,719 --> 00:11:34,069 Great. 228 00:11:34,700 --> 00:11:35,630 You pay your bill. 229 00:11:36,139 --> 00:11:37,910 You cry a little bit, but great. 230 00:11:39,270 --> 00:11:40,220 This is all good. 231 00:11:40,770 --> 00:11:43,410 Next month, however, if you make a mistake, and instead of typing 232 00:11:44,090 --> 00:11:48,950 att.com, you type all.com—which was a terrible example because all.com 233 00:11:49,360 --> 00:11:52,630 is a real website, but anyway—this is the sort of thing where a hacker 234 00:11:52,730 --> 00:11:57,050 could take a name that sounds super close and create something else. 235 00:11:58,559 --> 00:12:03,020 So, you could be looking at what you think, is it att.com, 236 00:12:03,540 --> 00:12:07,580 but it’s something else all.com, or at1.com, or what have you. 237 00:12:08,570 --> 00:12:11,189 Everything is going to look and behave exactly the same. 238 00:12:11,460 --> 00:12:12,959 Again, you are encrypted, right? 239 00:12:12,960 --> 00:12:14,199 It’s a yes-no conversation. 240 00:12:14,490 --> 00:12:17,529 But this time, when you pay your bill, you’ve just given your credit 241 00:12:17,529 --> 00:12:20,380 card to bad actors who are probably going to use it to buy crypto. 242 00:12:21,390 --> 00:12:23,790 One thing that could have helped there is if you looked at the 243 00:12:23,790 --> 00:12:27,890 certificate itself and seen wait a minute, this is not signed by AT&T, 244 00:12:27,900 --> 00:12:32,460 the corporate entity that is set up in… somewhere in California, probably. 245 00:12:32,509 --> 00:12:34,729 I meant to look up their actual certificate, and I didn’t— 246 00:12:35,469 --> 00:12:35,839 Fine. 247 00:12:36,150 --> 00:12:39,290 But again, this is a way to validate that the site 248 00:12:39,290 --> 00:12:41,270 that you’re going to is what you expect it to be. 249 00:12:41,880 --> 00:12:44,980 So, that’s why the certificates are important. 250 00:12:46,330 --> 00:12:51,249 And it’s also good for everybody involved to establish that att.com 251 00:12:52,160 --> 00:12:55,980 hasn’t been taken over completely, like that domain still exists, right? 252 00:12:55,980 --> 00:13:00,160 Which might be a more realistic problem because if somebody has stolen the 253 00:13:00,160 --> 00:13:05,800 IP address of att.com and put up another website there, they wouldn’t be 254 00:13:05,800 --> 00:13:08,469 able to use the same certificate because they don’t have the private keys. 255 00:13:08,730 --> 00:13:09,050 Right. 256 00:13:09,429 --> 00:13:11,100 They would have to put up a new certificate, 257 00:13:11,129 --> 00:13:13,710 which would be invalid for that URL. 258 00:13:14,350 --> 00:13:14,540 Right. 259 00:13:14,910 --> 00:13:19,850 So, that’s what the certificates do: kind of establishing 260 00:13:19,880 --> 00:13:22,360 in a clear way this website is who they say they are. 261 00:13:23,140 --> 00:13:26,140 And this brings us to the certificate authority. 262 00:13:26,830 --> 00:13:31,150 Like I said, anybody can create a certificate, even you. 263 00:13:32,110 --> 00:13:34,180 You have the commands on your computer. 264 00:13:34,180 --> 00:13:35,450 You can do it right now. 265 00:13:36,060 --> 00:13:36,890 Madness. 266 00:13:37,830 --> 00:13:42,619 But in order to have anybody else except to that certificate, 267 00:13:43,380 --> 00:13:45,470 you’re going to have to do a little bit more work. 268 00:13:46,119 --> 00:13:50,680 You have to basically be a part of a larger group of approved companies. 269 00:13:51,440 --> 00:13:54,630 Now, the company, whomever creates a certificate is called 270 00:13:54,630 --> 00:13:58,129 a certificate authority, and they basically do what you 271 00:13:58,130 --> 00:14:01,389 think: they are the authority that creates certificates. 272 00:14:01,670 --> 00:14:03,319 All the names that we’ve talked about so far. 273 00:14:03,349 --> 00:14:06,879 Entrust DigiCert, Let’s Encrypt, they’re all CAs. 274 00:14:07,310 --> 00:14:12,219 They create certificates, but they’re also something else: they’re a trusted CA. 275 00:14:12,710 --> 00:14:14,580 And what does this mean? 276 00:14:15,150 --> 00:14:19,300 It means that browser companies have agreed that CA is 277 00:14:19,349 --> 00:14:24,639 rigorous, careful, trustworthy, secure, all of the adjectives. 278 00:14:25,629 --> 00:14:29,500 And there’s actually way more than I thought [laugh] . There are, in 279 00:14:29,500 --> 00:14:34,230 Chrome, about a hundred trusted CAs that just are in there by default. 280 00:14:34,960 --> 00:14:38,819 And… you have to remember Chrome is just one browser. 281 00:14:39,330 --> 00:14:41,210 All of the different browsers that exist that you 282 00:14:41,210 --> 00:14:43,660 can think of have a different list of trusted CAs. 283 00:14:44,040 --> 00:14:47,150 So, there are some variations, but honestly, not that many. 284 00:14:47,700 --> 00:14:48,210 Right. 285 00:14:48,500 --> 00:14:52,269 Incidentally, this makes the decision that Chrome came to all that much 286 00:14:52,280 --> 00:14:56,539 more interesting because as of recording time, there’s no indication 287 00:14:56,540 --> 00:15:01,590 that any of the other browsers have plans to distrust Entrust. 288 00:15:02,250 --> 00:15:03,380 Got, I hate having to say that. 289 00:15:03,830 --> 00:15:03,860 [laugh] 290 00:15:05,640 --> 00:15:08,260 . But I mean, October is a while away, and we will see. 291 00:15:09,010 --> 00:15:13,859 And since Entrust is a fairly large player in this space, it would 292 00:15:13,870 --> 00:15:17,450 be weird if Chrome was the only one that didn’t trust them anymore. 293 00:15:17,940 --> 00:15:21,710 They do have the market share on browsers, so— 294 00:15:21,770 --> 00:15:21,870 Yeah. 295 00:15:22,370 --> 00:15:29,850 In a way, if they decide to distrust Entrust, that is a huge black mark on 296 00:15:29,920 --> 00:15:34,350 Entrust, and I would assume that other browsers would eventually follow suit. 297 00:15:34,930 --> 00:15:39,800 This is something I had to deal with when I was working inside of an 298 00:15:39,800 --> 00:15:43,760 internal company, and we issued our own certificates for internal websites. 299 00:15:45,340 --> 00:15:50,690 And when we wanted to start implementing TLS, which is the underlying 300 00:15:50,700 --> 00:15:55,819 encryption technology for HTTPS, we were using our own certificate authority, 301 00:15:56,470 --> 00:16:00,620 but the browser’s did not implicitly trust that certificate authority. 302 00:16:00,700 --> 00:16:08,380 So, I had to use group policy to distribute the root certificate into the 303 00:16:08,400 --> 00:16:12,699 trusted location on all the Windows boxes so that they would now trust 304 00:16:12,940 --> 00:16:18,560 this internal certificate authority, and PKI is the name of the larger 305 00:16:18,680 --> 00:16:24,170 grouping of certificate authorities and other things—and that was great for 306 00:16:24,460 --> 00:16:28,610 Windows, and it was great for Internet Explorer because Internet Explorer, 307 00:16:28,610 --> 00:16:32,400 just believed whatever was in the Windows trusted certificates, but if 308 00:16:32,400 --> 00:16:36,540 someone decided to use Chrome—at this time, Chrome was just starting to 309 00:16:36,540 --> 00:16:40,939 blow up—there was no group policy to manage the certificates in Chrome. 310 00:16:41,400 --> 00:16:44,569 And so, anybody who tried to use Chrome would get this 311 00:16:44,610 --> 00:16:46,930 error message, and then I would get a helpdesk ticket. 312 00:16:47,400 --> 00:16:49,319 And so, I hated Chrome a lot for a little bit [laugh] 313 00:16:50,600 --> 00:16:52,220 . [laugh] . Totally fair. 314 00:16:52,590 --> 00:16:52,890 Yeah. 315 00:16:53,800 --> 00:16:55,689 Now, I hate it for different reasons. 316 00:16:56,790 --> 00:16:57,249 Yay. 317 00:16:57,929 --> 00:17:03,660 So, as a trusted CA, Entrust was supposed to do all of those things. 318 00:17:04,539 --> 00:17:08,089 And according to Google, and many, many other commenters, 319 00:17:09,760 --> 00:17:14,470 Entrust has consistently failed to maintain a reputation 320 00:17:14,490 --> 00:17:17,019 of rigid adherence to these community standards. 321 00:17:17,819 --> 00:17:20,859 One such example happened just a few months 322 00:17:20,859 --> 00:17:22,279 before Google announced their decision. 323 00:17:22,940 --> 00:17:26,430 In short, a whole batch of certificates were issued 324 00:17:26,440 --> 00:17:29,150 by Entrust with information in the wrong column. 325 00:17:29,940 --> 00:17:31,910 So, certificates do have a lot more information 326 00:17:31,910 --> 00:17:33,949 than just, like, name rank and serial number. 327 00:17:34,590 --> 00:17:36,429 We don’t have to get too deep into the weeds of it. 328 00:17:37,280 --> 00:17:39,689 All of this is supposed to be super automated. 329 00:17:40,139 --> 00:17:43,280 And automation is supposed to mean all the right 330 00:17:43,280 --> 00:17:45,610 information goes into all the right fields. 331 00:17:46,420 --> 00:17:50,410 You would think that you would have a hundred percent success rate. 332 00:17:51,020 --> 00:17:51,690 You would think. 333 00:17:51,880 --> 00:17:53,230 You would think. 334 00:17:54,110 --> 00:17:58,239 Automation is just the power to do one thing wrong a thousand times 335 00:17:58,940 --> 00:18:02,120 I prefer the way to describe that as automation 336 00:18:02,160 --> 00:18:04,360 just allows us to make mistakes at machine speed. 337 00:18:05,540 --> 00:18:06,520 [laugh] . At scale. 338 00:18:08,120 --> 00:18:09,020 And I guess they did. 339 00:18:09,790 --> 00:18:13,780 So, there are a lot of tools that pay attention to certifications, 340 00:18:13,780 --> 00:18:17,389 which we’ll get to in a second, and these tools figured 341 00:18:17,389 --> 00:18:20,169 out that these certs were wrong, basically, immediately. 342 00:18:20,670 --> 00:18:22,070 Once again, the question is why didn’t 343 00:18:22,420 --> 00:18:24,459 Entrust not figure this out for themselves? 344 00:18:24,970 --> 00:18:27,789 We’ll put that on the pile over here with all the other mistakes. 345 00:18:28,849 --> 00:18:32,199 So, this issue was called out by somebody, it made it into a lot 346 00:18:32,200 --> 00:18:35,150 of conversations, there’s a Bugzilla tracker on this whole issue, 347 00:18:35,549 --> 00:18:39,820 and long story short, Entrust decided not to revoke the certs, 348 00:18:40,140 --> 00:18:43,350 even though they admitted that the certs were not issued correctly. 349 00:18:43,680 --> 00:18:44,310 Okay. 350 00:18:44,389 --> 00:18:49,450 Instead, what they said, more or less, was that this mistake 351 00:18:49,630 --> 00:18:52,690 wasn’t a big deal, and it was fine to leave the certs 352 00:18:52,690 --> 00:18:55,699 as is because reissuing them was going to be a hassle. 353 00:18:56,040 --> 00:18:57,290 A hassle for whom? 354 00:18:57,560 --> 00:18:58,580 Exactly. 355 00:18:59,050 --> 00:19:03,260 So, as you can imagine, there was some blowback from this decision. 356 00:19:04,150 --> 00:19:07,720 One quote that I thought was particularly enlightening to the discussion, 357 00:19:07,730 --> 00:19:12,299 read thusly, quote, “CAs facing challenges of their own creation should 358 00:19:12,299 --> 00:19:17,360 not be exploring ‘How do I keep these certs working,’ but ‘How do I make 359 00:19:17,360 --> 00:19:22,929 sure I don’t issue violating certs to begin with?’ Anything less is gross 360 00:19:22,960 --> 00:19:27,420 negligence, and not the system we should be striving to build.” Unquote. 361 00:19:27,920 --> 00:19:28,350 Indeed. 362 00:19:29,150 --> 00:19:32,670 A further series of comments makes it clear that Entrust 363 00:19:32,670 --> 00:19:36,169 has a long history of, let’s call it, pushing the limits 364 00:19:36,540 --> 00:19:38,919 when it comes to their policies around revocation. 365 00:19:39,650 --> 00:19:42,489 If this is interesting to you at all, I encourage you to read the 366 00:19:42,490 --> 00:19:45,710 Bugzilla conversation that is linked in the [show notes] . You’ll see 367 00:19:45,710 --> 00:19:49,340 a number of well-intentioned and very knowledgeable folks question 368 00:19:50,000 --> 00:19:53,810 Entrust’s stance and behavior, along with just, like, this one guy, 369 00:19:54,130 --> 00:20:01,129 who repeatedly says, “Nah, it’s fine.” So yeah, in short, Entrust 370 00:20:01,139 --> 00:20:05,690 chose gross negligence, and thus got the hammer from Google, that 371 00:20:05,690 --> 00:20:10,100 will, if it stands, effectively end their operations in the CA space. 372 00:20:10,890 --> 00:20:11,360 Ouch. 373 00:20:12,100 --> 00:20:12,439 Yeah. 374 00:20:13,190 --> 00:20:16,260 So, begs the question, if you’re an Entrust 375 00:20:16,280 --> 00:20:18,570 customer, what are you supposed to do? 376 00:20:18,570 --> 00:20:23,040 Well, the first thing to note is that only certificates that are 377 00:20:23,040 --> 00:20:27,070 going to become invalid are ones that are issued after October 31st. 378 00:20:27,530 --> 00:20:30,520 So, this also explains why they’re still 379 00:20:30,520 --> 00:20:32,449 selling them on their website right now. 380 00:20:33,040 --> 00:20:36,689 Because if you buy a cert right now, July 31st, 2024, at time of 381 00:20:36,690 --> 00:20:41,420 recording, it will be valid for the entire year, up to I think 382 00:20:41,420 --> 00:20:46,580 it’s 398 days, something like that, before it has to be renewed. 383 00:20:47,220 --> 00:20:48,970 And this is something that’s important to note. 384 00:20:50,070 --> 00:20:53,100 If you have a certificate that is going to be renewed, 385 00:20:53,980 --> 00:20:57,050 in reality, that’s just a new certificate, right? 386 00:20:57,219 --> 00:21:02,640 So, if you renew a certificate on November 1st, 2024, that 387 00:21:02,640 --> 00:21:05,320 certificate is automatically invalid because it’s a new 388 00:21:05,320 --> 00:21:07,630 certificate issued after the deadline that Google set. 389 00:21:08,130 --> 00:21:10,550 Yeah, I think renewal is a bit of a misnomer. 390 00:21:11,170 --> 00:21:12,760 It’s more of a re-issuance. 391 00:21:12,990 --> 00:21:13,290 Right. 392 00:21:13,520 --> 00:21:16,520 When I have a certificate, and I want to renew it before it 393 00:21:16,520 --> 00:21:21,830 expires, and I talk to the CA and I request a renewal, I’m really 394 00:21:21,830 --> 00:21:26,420 making a new certificate request to them, and they issue me a 395 00:21:26,420 --> 00:21:30,580 brand-new certificate, which I then have to install and use. 396 00:21:30,910 --> 00:21:32,760 It’s going to have a different key, it’s going to 397 00:21:32,770 --> 00:21:35,690 have a different serial number associated with it. 398 00:21:36,080 --> 00:21:39,450 So yeah, for all intents and purposes, it’s a fresh certificate. 399 00:21:39,800 --> 00:21:42,980 It just happens to use the same subject name—or common 400 00:21:42,980 --> 00:21:46,420 name—that the original certificate that I’m renewing had. 401 00:21:46,730 --> 00:21:47,010 Right. 402 00:21:48,179 --> 00:21:52,530 And as is tradition in computer science, all we did was pick the word that 403 00:21:52,530 --> 00:21:56,080 sounded the most convenient, rather than one that was the most accurate. 404 00:21:56,520 --> 00:21:56,550 [laugh] 405 00:21:57,640 --> 00:22:03,270 . But anyway, something else you can do is replace your certificate with 406 00:22:03,309 --> 00:22:07,849 another one, which, depending on the amount of systems that you have, 407 00:22:08,540 --> 00:22:12,390 I would say—I’m trying to do the math in my head here—I’m thinking 408 00:22:12,400 --> 00:22:16,070 that if you have more than one, this is going to be a huge pain. 409 00:22:17,440 --> 00:22:21,260 [laugh] . It depends on the way in which you procure your certificates today. 410 00:22:22,150 --> 00:22:22,500 True. 411 00:22:22,860 --> 00:22:26,200 You would also have to know your entire inventory and make sure 412 00:22:26,200 --> 00:22:28,690 that you get all of them because one thing that you would not 413 00:22:28,690 --> 00:22:33,160 want to do is fix 29 of your 30 certificates and forget about the 414 00:22:33,190 --> 00:22:37,100 30th one, and then somebody like Ned gets calls at the help desk. 415 00:22:37,410 --> 00:22:37,660 Yeah. 416 00:22:37,870 --> 00:22:44,099 But luckily, blissfully, if you’re in any version of a large operation 417 00:22:44,099 --> 00:22:48,390 or enterprise space, there are tools now that exist that can help you. 418 00:22:49,190 --> 00:22:52,340 And if you don’t know about them, I want to introduce you to the 419 00:22:52,340 --> 00:22:56,710 tool that you never knew your organization needed: the ACME tool. 420 00:22:57,190 --> 00:22:58,520 It’s not just for Wile E. 421 00:22:58,520 --> 00:22:59,520 Coyote anymore. 422 00:23:00,090 --> 00:23:01,990 And this one is actually effective. 423 00:23:03,130 --> 00:23:07,600 [laugh] . So, I’m saying just ‘ACME tool’ in, like, air quotes 424 00:23:07,600 --> 00:23:10,090 in general because there are a ton of them that do this. 425 00:23:10,990 --> 00:23:14,080 And again, many of them are free. 426 00:23:14,309 --> 00:23:15,260 Ooh, free. 427 00:23:15,500 --> 00:23:20,150 So, ACME stands for Automated Certificate Management Environment. 428 00:23:20,960 --> 00:23:25,460 And I’m not sure if they did that on purpose to make it spell ACME. 429 00:23:25,820 --> 00:23:26,610 You know they did. 430 00:23:26,880 --> 00:23:27,170 I know. 431 00:23:27,690 --> 00:23:27,810 I know. 432 00:23:28,960 --> 00:23:31,570 The first one that came out actually came out from the 433 00:23:31,570 --> 00:23:34,680 Electronic Frontier Foundation way back in the olden days: 2015. 434 00:23:36,290 --> 00:23:36,670 Right. 435 00:23:37,570 --> 00:23:38,850 We still had hope, then. 436 00:23:39,030 --> 00:23:39,440 Mmm. 437 00:23:40,000 --> 00:23:41,070 Like… sort of. 438 00:23:41,070 --> 00:23:43,199 [laugh] . The tool was called Certbot. 439 00:23:44,270 --> 00:23:46,730 And it still exists, and it’s great. 440 00:23:48,180 --> 00:23:51,110 Certbot was introduced alongside of Let’s Encrypt—the 441 00:23:51,110 --> 00:23:54,090 CA—which, again, issue certificates for free. 442 00:23:54,950 --> 00:23:55,559 For free. 443 00:23:56,230 --> 00:23:56,639 For free? 444 00:23:57,009 --> 00:23:58,429 These are certificates that are free. 445 00:23:59,910 --> 00:24:03,220 There are other commercial tools from companies like Venafi, 446 00:24:03,360 --> 00:24:08,550 DigiCert, GlobalSign, and probably a thousand more that are not free. 447 00:24:09,320 --> 00:24:10,620 Let’s Encrypt is free. 448 00:24:12,120 --> 00:24:12,570 Just saying. 449 00:24:13,370 --> 00:24:18,559 But the whole point of all these tools is to automate the process: creating, 450 00:24:18,670 --> 00:24:25,150 managing, renewing, retiring, replacing certs on all of your infrastructure. 451 00:24:25,420 --> 00:24:25,750 Right. 452 00:24:26,550 --> 00:24:28,969 And these tools, as you might imagine, are a 453 00:24:28,969 --> 00:24:34,140 lot easier than going server to server by hand. 454 00:24:35,340 --> 00:24:39,160 These tools, especially the enterprise ones, can crawl your entire 455 00:24:39,160 --> 00:24:43,340 environment, identify every cert that’s in use, show the details 456 00:24:43,350 --> 00:24:48,020 about its creation, who issued it, its expiration date, et cetera. 457 00:24:48,639 --> 00:24:51,484 Then you can point them to whatever new cert 458 00:24:51,639 --> 00:24:54,449 you want to use, and basically click a button— 459 00:24:54,810 --> 00:24:55,290 Ba-boom. 460 00:24:55,700 --> 00:24:58,430 —and then the certs get replaced, whether it’s 461 00:24:58,430 --> 00:25:03,220 immediately, or just upon, you know, a day before expiry. 462 00:25:04,530 --> 00:25:07,379 And I know I’m not exactly making this clear, but for people of 463 00:25:07,860 --> 00:25:11,700 a certain age, everything I just described is basically magic. 464 00:25:12,049 --> 00:25:12,619 It is. 465 00:25:13,080 --> 00:25:16,960 I remember, the same company that I was working for, we not only 466 00:25:16,960 --> 00:25:20,140 had internal websites, but we had a couple public-facing websites. 467 00:25:21,139 --> 00:25:24,090 And so, in order to secure those public-facing 468 00:25:24,099 --> 00:25:26,679 websites, we had to procure certificates. 469 00:25:27,240 --> 00:25:29,850 And this was, I want to say, like, 2004, 470 00:25:32,360 --> 00:25:33,620 2005-ish timeframe. 471 00:25:33,620 --> 00:25:35,450 So, a while [laugh] 472 00:25:36,370 --> 00:25:41,400 . The process to get an SSL certificate—and this was just for a single 473 00:25:41,400 --> 00:25:48,910 domain—required you to fill out a form, and then you had to put in the request, 474 00:25:49,760 --> 00:25:53,540 and then they would ask for additional information about your business, and then 475 00:25:53,540 --> 00:25:58,670 you’d have to verify that you are, in fact, from that business through something 476 00:25:58,679 --> 00:26:03,909 that was either notarized, or you had to send it with the correct from address. 477 00:26:03,920 --> 00:26:07,400 There was, like, three or four different ways to attest that you are, 478 00:26:07,400 --> 00:26:11,920 in fact, the business that has legal ownership over this domain name. 479 00:26:12,200 --> 00:26:14,900 And then they would finally issue you the certificate. 480 00:26:15,639 --> 00:26:18,740 Which is why a lot of companies just went and got wildcard 481 00:26:18,740 --> 00:26:22,700 certificates, which basically matches any subdomain 482 00:26:23,059 --> 00:26:25,770 of the domain you’re getting the certificate for. 483 00:26:25,770 --> 00:26:34,059 So, if your certificate is for *.bobsgumbo.com, any subdomain—dub-dub-dub, 484 00:26:34,710 --> 00:26:41,530 mail, blog, whatever—dot bobsgumbo.com would match that certificate. 485 00:26:42,080 --> 00:26:45,360 So, you’d have one certificate that you’d use for everything. 486 00:26:45,360 --> 00:26:49,330 That wasn’t terribly secure, it’s a bad idea, but the amount of work 487 00:26:49,340 --> 00:26:52,149 you had to go through to get that certificate in the first place 488 00:26:52,490 --> 00:26:56,210 made it worthwhile to get the wildcard cert and just roll with that. 489 00:26:56,950 --> 00:27:00,320 So, what I’m hearing is you also used to have to work with VeriSign. 490 00:27:00,860 --> 00:27:01,490 Yes. 491 00:27:01,830 --> 00:27:05,320 And it was so goddamn painful [laugh] . They 492 00:27:05,320 --> 00:27:08,960 also had different levels of SSL certificates. 493 00:27:08,960 --> 00:27:12,049 And I say SSL because that’s what it was at the time, 494 00:27:12,050 --> 00:27:15,919 before we switched to TLS—same technology, different name— 495 00:27:16,580 --> 00:27:16,800 Right. 496 00:27:17,309 --> 00:27:23,470 They had extended validation or EV SSL certs, and for those, you had 497 00:27:23,470 --> 00:27:28,009 to do additional levels of validation that you were from the company 498 00:27:28,010 --> 00:27:30,830 you said you were, and that you own the domain, and you were the 499 00:27:30,830 --> 00:27:34,130 authority for that domain that you were requesting the certificate for. 500 00:27:34,520 --> 00:27:36,639 And they will charge you a comfortably 501 00:27:36,640 --> 00:27:39,280 large amount of money to get that EV cert. 502 00:27:39,580 --> 00:27:42,100 But then you could say, “Look at me, I have 503 00:27:42,100 --> 00:27:45,270 an EV cert.” And somehow that was better. 504 00:27:45,440 --> 00:27:47,070 There was a period of time when browsers 505 00:27:47,110 --> 00:27:50,950 actually had a different lock icon or color— 506 00:27:50,980 --> 00:27:52,089 Or a different color, right. 507 00:27:52,129 --> 00:27:56,950 If you were using an EV cert versus just a regular SSL cert. 508 00:27:57,340 --> 00:27:59,090 And that was, like, super important. 509 00:27:59,130 --> 00:28:02,170 And that’s why you would pay good money to one of these 510 00:28:02,170 --> 00:28:05,570 companies, was to get that reassuring, different lock color. 511 00:28:06,360 --> 00:28:07,620 These days, no one gives a shit. 512 00:28:08,770 --> 00:28:09,240 True. 513 00:28:10,000 --> 00:28:14,210 Certificates used to be issued for a year, two years at a time. 514 00:28:14,670 --> 00:28:19,190 Now, the average certificate is valid for between 30 and 60 days. 515 00:28:19,940 --> 00:28:21,970 And it gets renewed automatically. 516 00:28:22,320 --> 00:28:25,319 And it uses that ACME protocol, and it’s probably using, like, Let’s Encrypt. 517 00:28:26,250 --> 00:28:32,409 And that has really changed the whole way in which certificates are issued, 518 00:28:32,800 --> 00:28:37,660 and the value behind an individual certificate, for the better, I think. 519 00:28:37,880 --> 00:28:39,820 We have a much more secure web because of it. 520 00:28:40,190 --> 00:28:43,529 But it does mean that a lot of these older companies don’t have 521 00:28:43,530 --> 00:28:48,190 the cash flying in that they used to, and that may lead them to cut 522 00:28:48,190 --> 00:28:52,930 some corners because they don’t have this just, you know, companies 523 00:28:52,940 --> 00:28:56,350 backing up the dump truck of money to get the certificates from them. 524 00:28:56,960 --> 00:29:01,480 It’s almost like they could, instead of rent-seeking, they could innovate. 525 00:29:02,059 --> 00:29:03,360 Wh-whoa. 526 00:29:03,360 --> 00:29:03,629 Whoa. 527 00:29:03,780 --> 00:29:04,920 Now you’re talking crazy. 528 00:29:04,959 --> 00:29:05,909 I’ve gone too far. 529 00:29:06,469 --> 00:29:08,700 So, let me ask you, is Entrust using AI? 530 00:29:09,070 --> 00:29:09,100 [laugh] 531 00:29:09,420 --> 00:29:12,130 . You know, I haven’t looked into that. 532 00:29:12,130 --> 00:29:13,530 But I’m going to go with yes. 533 00:29:14,120 --> 00:29:17,420 Breaking news—and I just saw this morning, so I haven’t really had a 534 00:29:17,420 --> 00:29:21,230 chance to dig into it, but apparently DigiCert, which was one of the other 535 00:29:21,500 --> 00:29:26,250 certificate authorities you mentioned, has issued guidance that they’re 536 00:29:26,250 --> 00:29:31,850 revoking a subset of their TLS certificates due to a non-compliance issue 537 00:29:32,090 --> 00:29:37,649 with domain control verification, and this may cause temporary disruptions 538 00:29:37,650 --> 00:29:42,029 to website services and applications relying on these certificates. 539 00:29:42,870 --> 00:29:45,860 DigiCert has notified affected customers, so if you are one of those 540 00:29:45,860 --> 00:29:49,720 customers, if you’re using DigiCert today, you might want to check 541 00:29:49,730 --> 00:29:54,210 on that because they are revoking a lot—not a ridiculous amount, but 542 00:29:54,219 --> 00:29:58,720 they’re revoking a decent number of certificates for websites out there. 543 00:29:58,770 --> 00:30:01,250 And if you happen to be browsing the web in the next week, 544 00:30:01,390 --> 00:30:04,540 you might come across one of these revoked certificates. 545 00:30:05,110 --> 00:30:09,639 And then, if you do, you’ll see the system operating as expected. 546 00:30:10,490 --> 00:30:14,590 [laugh] . What’s actually funny is that a lot of browsers don’t actually check 547 00:30:15,330 --> 00:30:19,740 the CRL—which is the Certificate Revocation List—they don’t actually check it. 548 00:30:19,930 --> 00:30:22,960 They just check the validity period of the certificate, and as long 549 00:30:22,960 --> 00:30:26,870 as the cert is valid and comes from a trusted CA, they stop there. 550 00:30:27,070 --> 00:30:28,769 Because hitting the CRL is more work. 551 00:30:29,549 --> 00:30:31,820 Man, you really are just bringing the sunshine today, aren’t you? 552 00:30:32,600 --> 00:30:37,479 [laugh] . I have been too deeply steeped in PKI and CA stuff 553 00:30:37,490 --> 00:30:42,010 for years, and I’ve grown to hate almost everything about it. 554 00:30:43,220 --> 00:30:46,179 [laugh] . I can understand why. 555 00:30:47,250 --> 00:30:48,840 Hey, thanks for listening, or something [laugh] . I 556 00:30:49,219 --> 00:30:51,980 guess you found it worthwhile enough if you made it all 557 00:30:51,980 --> 00:30:54,630 the way to the end, so congratulations to you, friend. 558 00:30:54,980 --> 00:30:56,510 You accomplished something today. 559 00:30:56,520 --> 00:30:58,810 Now, you can go sit on the couch, fire up the DigiCert 560 00:30:59,330 --> 00:31:02,050 website, and see if your certificates have been revoked. 561 00:31:02,330 --> 00:31:03,030 You’ve earned it. 562 00:31:03,300 --> 00:31:05,849 You can find more about this show by visiting our LinkedIn page, 563 00:31:05,860 --> 00:31:09,669 just search ‘Chaos Lever,’ or go to our website, chaoslever.com 564 00:31:09,670 --> 00:31:12,910 where you’ll find show notes, blog posts, and general tomfoolery. 565 00:31:12,910 --> 00:31:16,590 And if you have anything to add to this certificate authority conversation, 566 00:31:16,840 --> 00:31:19,500 we’d love to hear about it, so leave us a voicemail or a comment. 567 00:31:19,870 --> 00:31:22,420 We’ll be back next week to see what fresh hell is upon us. 568 00:31:22,870 --> 00:31:23,640 Ta-ta for now. 569 00:31:31,630 --> 00:31:32,450 Yeah, it’s pretty funny. 570 00:31:32,450 --> 00:31:35,730 I forgot about your… let’s call it, passionate 571 00:31:35,920 --> 00:31:38,879 experiences with certifications and the like. 572 00:31:39,309 --> 00:31:42,040 Had I been paying more attention, I would have just made you write this one. 573 00:31:43,290 --> 00:31:46,800 [laugh] . I already assigned you something this week and you just ignored it. 574 00:31:47,420 --> 00:31:47,970 Ignored what?