hrbrmstr's Daily Drop

Drop #542 (2024-10-16): Happy WebsDay

hrbrmstr

Manifest V24EVA; Holy Shrinking TLS Certificate Lifespans, Batman!; Gosub

We’ve got a web-focused edition, today, and I ranted enough about certificates that I’ll save the WordPress rant for later in the week.

TL;DR

(This is an AI-generated summary of today’s Drop using Ollama + llama 3.2 and a custom prompt.)

Manifest V24EVA

Bleeping Computer dropped an article about Google warning users that the popular ad blocker uBlock Origin and other extensions may soon be disabled in Chrome due to the deprecation of the Manifest V2 extension specification. This has been a long-time in the making, and it is worth noting that Firefox and Vivaldi have stated they will continue to support Manifest V2, providing alternatives for users who wish to keep using uBlock Origin. Arc is following the Google timeline for some reason, but is also planning to bake-in an ad blocker to their browser.

I dropped some info on how macOS folks can keep V2 extensions working until June of next year over on Mastodon that’s quick to reproduce here:

$ defaults write com.google.Chrome ExtensionManifestV2Availability -int 2

Change the key depending on your browser. e.g.,

  • com.google.Chrome.beta
  • com.vivaldi.Vivaldi
  • com.vivaldi.Vivaldi.snapshot
  • company.thebrowser.Browser (for Arc users)

Shoot me a note if you need the key for some other browser.

Linux folks can either do:

$ mkdir -p /etc/opt/chrome/policies/managed

or

$ mkdir -p /etc/chromium/policies/managed

and put this:

{
  "ExtensionManifestV2Availability": 2
}

in a file called manifest_v2_policy.json.

The browser(s) need to be restarted for this to take effect.

Check it by going to chrome://policy/.

Holy Shrinking TLS Certificate Lifespans, Batman!

Photo by cottonbro studio on Pexels.com

Apple is proposing a wholesale shrinkage of TLS certificate lifespans down to 45 days. It’s part of an ongoing industry trend to “enhance web security”. This change will 100% create challenges for system administrators. I was asked about the benefits of this lifespan reduction, and I’ll give the “industry veteran” response, then quickly suggest why this is a stupid move.

The theory goes that shorter certificate lifespans limit the window of opportunity for attackers to exploit compromised or stolen certificates. So, if a certificate is compromised, it will become invalid much sooner, reducing the potential damage. More frequent renewals also theoretically help make sure that websites are using the latest cryptographic standards and algorithms.

The “Zero Trust” cabal posits that short-lived certificates support “continuous verification and authentication”, which is one of the “Zero Trust” core principles.

Browser/network folks who prioritize speed believe that very short-lived certificates (on the order of days or weeks, as in the target of 45 days) could potentially eliminate the need for complex revocation mechanisms like CRLs (Certificate Revocation Lists) and OCSP (Online Certificate Status Protocol), as certificates would expire before revocation information becomes useful.

This all seems like the wonks need to find new hobbies, as I can’t see any good reason for further shrinkage.

Sysadmins will face a significantly increased workload managing certificate renewals more frequently, especially for systems that can’t be automated. Also, many network appliances and legacy systems don’t support automated certificate renewal, making the frequent manual updates a major challenge. More frequent renewals increase the risk of expired certificates, leading to service downtime and potential revenue loss. Even with automation, certs can still be busted if automation fails (which never happens, right?).

It’s frightening that Apple/Gooooogle and the entire Certification Authority Browser Forum (CA/B Forum) can, with a simple vote, potentially significantly increase costs for organizations who will almost certainly have to invest in new tools or personnel to manage the more frequent renewal proces.

Oh, and standing up automation for this across an enterprise dramatically increases the attack surface of the entire organization — far more so than the theoretical safety benefits of shorter lifespans.

If you want to have your say, and potentially help sway the CA/B, hit their site and make your thoughts known.

Gosub

Gosub (GH) is a fairly ambitious open-source project that aims to build a new web browser engine entirely from scratch using Rust. The developers are making a modular and flexible engine that not only powers their own browser user-agent but will als serve as a standalone library for other projects.

The engine comprises several core components: HTML5 and CSS3 tokenizers and parsers, a document tree, JavaScript APIs and bridge, a configuration store, a networking stack, and a rendering engine. While it’s still in the early stages and doesn’t offer a fully usable browser yet, Gosub has made significant progress. It can parse HTML5 and CSS3 into document trees and perform basic rendering of simple HTML pages. Some components, like the JavaScript engine and networking stack, have been implemented but aren’t fully integrated yet.

While the browser will be a standalone executable, the engine is also designed be compiled to WebAssembly for embedded web or edge use.

This is definitely one project to keep on the radar!

FIN

Remember, you can follow and interact with the full text of The Daily Drop’s free posts on Mastodon via @dailydrop.hrbrmstr.dev@dailydrop.hrbrmstr.dev ☮️

,

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.