LibreSSL languishes on Linux

Posted Jan 6, 2021 8:22 UTC (Wed) by tialaramex (subscriber, #21167)
In reply to: LibreSSL languishes on Linux by Cyberax
Parent article: LibreSSL languishes on Linux

> You still can work around it by issuing backdated certificates. I think that window is going to close in 2 years, though.

For Chromium the relevant code is published: https://source.chromium.org/chromium/chromium/src/+/maste... look at lines around 950 or so

There are four epochs we care about:

1. Ancient history, before there were any rules at all, Chromium arbitrarily assumes certificates must not have had lifetimes exceeding ten years. Did any certificates actually do that? Maybe, but they've never worked in Chrome, so we can assume they're not used. This epoch ended in 2019, and so is now irrelevant

2. The original Baseline Requirements began in July 2012 and allow 60 months (which is to say, five years) for grandfathered scenarios. However in April 2015 this rule changed, so the last such certificate expired last year, in April 2020.

3. The "modern" Baseline Requirements from April 2015 allow 39 months in all cases. This regime ended by consent in March 2018. So the last such certificate expires 1188 days after that at the end of May 2021, almost five months from now.

4. The last such consensual BR amendment in March 2018 allows 825 days. This ended de facto in September 2020. So the last such certificate expires 825 days later, in December 2022. _However_ the CT enforcement rules start May 2018. So a "backdated" certificate issued under this regime has to be prior to May 2018, which means it expired during or before August 2020, last year.

Thus, as you can see, the only backdating option that could mechanically work is a certificate which claims it was issued in late 2017 or early 2018 and expires before end of May 2021.

It is extremely unlikely that such certificates have been created after the CT deadline or will be made in the next few months. If detected they would likely result in the issuing CA being distrusted, yet their practical value to a subscriber is minimal compared to just getting a CT logged certificate.

But if you're concerned anyway and can't wait until June this year simply modify Chromium source to always require SCTs. In practice there likely won't be any sites you use that are still relying on this very narrow exclusion window to function, by February 2018 most vendors were giving unsophisticated subscribers certificates with SCTs baked in already and 1188 days is the very maximum allowable, most certificates will have had far shorter lifespans.