Full Disclosure mailing list archives
Re: Expired certificate
From: Dan Kaminsky <dan () doxpara com>
Date: Thu, 22 Jul 2010 21:05:56 -0400
Operationally, it just shouldn't be that big a deal to schedule a maintenance every few years. Like expiring domain registrations, the hardest part is simply to not lose track of it. The Accounting dept in an organization can sometimes help to not forget that stuff.
Shouldn't? That's a nice word. What does the data say? Suppose I have five hundred web servers with five hundred expiration dates, strewn out roughly uniformly over a three year period. That means, I have about one expiration every two days. Now, to run a change: 1) A purchase must be made, of the thing to be changed 2) A meeting must be scheduled, to organize the change (especially if, as you suggest, an external organization tracks these things) 3) An administrator must be tapped to implement the change in non-peak time 4) The change must happen 5) The change must be tested and validated 6) The new expiration time must be confirmed for tracking purposes Lets say this is 8 man hours. That means this is 4,000 man hours of work. Assume the employee doing this work has an average cost to the company of $60/hr (remember, you need to roughly double the cost of a full time employee, after you factor in benefits, payroll taxes, etc). That's $240K/yr being spent to manage three year expirations, just on labor. And, of course, you see the result of this: People don't go ahead and put 500 different certs on 500 different machines. Instead, you end up with an Internet having but a million SSL endpoints, only half of which even pretend to have a validating certificate. Costs can hide. Consequences are another matter.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Expired certificate, (continued)
- Re: Expired certificate Jan Schejbal (Jul 21)
- Re: Expired certificate Ryan Castellucci (Jul 22)
- Re: Expired certificate Junk Meat (Jul 16)
- Re: Expired certificate bk (Jul 16)
- Re: Expired certificate Junk Meat (Jul 16)
- Re: Expired certificate bk (Jul 16)
- Re: Expired certificate Junk Meat (Jul 17)
- Re: Expired certificate Dan Kaminsky (Jul 17)
- Re: Expired certificate Pavel Kankovsky (Jul 18)
- Re: Expired certificate Marsh Ray (Jul 20)
- Re: Expired certificate Dan Kaminsky (Jul 22)
- Re: Expired certificate Marsh Ray (Jul 22)
- Re: Expired certificate Dan Kaminsky (Jul 22)
- Re: Expired certificate Marsh Ray (Jul 22)
- Re: Expired certificate bk (Jul 23)
- Re: Expired certificate bk (Jul 16)
- Re: Expired certificate Meadow (Jul 23)
- Re: Expired certificate Marsh Ray (Jul 24)
- Re: Expired certificate Pavel Kankovsky (Jul 24)
- Re: Expired certificate Dan Kaminsky (Jul 24)
- Re: Expired certificate Dan Kaminsky (Jul 24)
- Re: Expired certificate Pavel Kankovsky (Jul 25)