Why do some websites change SSL certificates so frequently? [closed]

google-chrome security certificate ssl encryption

So after learning the Firefox was allowing developers access to see SSL certificate information, I happily switched over from Chrome to Firefox and installed Certificate Watch. I had to exclude the plugin's site to stop it from wiping its webstorage whenever I close my browser, but what I've noticed is: SSL certificates are changing more frequently than I expected.

Now serverfault.com is an exception. It's changing certificates appropriately (every 3 months) which seems completely normal and absolutely on schedule to be expected. Issuer isn't changing or anything weird.

 serverfault.com Validity changed
 Stored:    From: 2021-09-15 10:07:09 (*20 days ago*)
 Until: 2021-12-14 09:07:08 (in 70 days)
 New:   From: 2021-10-04 13:19:09 (*1 day ago*)
 Until: 2022-01-02 12:19:08 (in 89 days)
 Fingerprint changed

But what's going on with superuser.com?

superuser.com Validity changed
Stored: From: 2021-09-15 10:07:09 (20 days ago)
Until: 2021-12-14 09:07:08 (*in 70 days*)
New:    From: 2021-10-04 13:19:09 (*1 day ago*)
Until: 2022-01-02 12:19:08 (in 89 days)
Fingerprint changed

They changed their cert 70 days early only to give them an extra 20 days? Why do that?

Duckduckgo.com is still doing the traditional 1-yr changeover for SSL certs:

 duckduckgo.com Issuer changed
 Stored:CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
 New:CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US
 duckduckgo.com Validity changed
 Stored:    From: 2021-06-30 21:00:00 (96 days ago)
 Until: 2021-11-25 19:59:59 (*in 51 days*)
 New:   From: 2021-10-01 21:00:00 (*3 days ago*)
 Until: 2022-11-02 20:59:59 (in 393 days)
 Fingerprint changed

They did a year change 21 days early that just seems like the normal good 'ol days of SSL certs. Their issuer changed but it looks like it was just name maintenance. This seems like how it USED to be, for most of us normal web administrators.

My question is more for sites like Google and YouTube and all the Google sites really do this where they are is going nuts it seems, changing them early every month, randomly. All Google domains look like this and YouTube too (accounts, gstatic, everything). Like they have built this system to cycle through SSL certs very quickly on all their platforms.

 www.google.com Validity changed
 Stored:From: 2021-08-30 00:55:24 (36 days ago)
 Until: 2021-11-21 23:55:23 (*in 48 days*)
 New:From: 2021-09-13 01:07:13 (*22 days ago*)
 Until: 2021-11-20 00:07:12 (in 46 days)
 Fingerprint changed

 youtube.com Validity changed
 Stored:From: 2021-08-29 22:36:08 (36 days ago)
 Until: 2021-11-21 21:36:07 (*in 48 days*)
 New:From: 2021-09-12 22:38:37 (*22 days ago*)
 Until: 2021-11-19 21:38:36 (in 46 days)
 Fingerprint changed

Why is Google and some other sites rotating their certificates so quickly? They make them for 90 days then they change them half way through.

Their issuer is not changing, so it's clearly still them. Are they just extra paranoid or something? Is their something they know about SSL certs that we don't about their longevity? I remember you used to get an RSA 4096 you were good for at least a year.

They are changing them literally every month.

How long will it be till every week is a different cert? Or why not every request? Then we just rely on their "trusted" authority.

It would be a nice enhancement if that plugin could also record what type of cert that was changing (TLS_AES_128_GCM_SHA256, 128bits). It would be interesting to see how the certificate changes correlate with the encryption suite being used.

Any ideas, thoughts, or reasons? Is there something going on in the encryption space where an RSA 4096 isn't good enough for a year anymore?

EDIT: I just wanted to post an addendum to an amazing certificate change that happened today which blew my mind. 10-6-21

Duckduckgo.com who I just mentioned yesterday putting up a 1 year cert in place 4 days ago has now changed it to the following:

Issuer changed
Stored: CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US
New:CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
Validity changed
Stored: From: 2021-10-01 21:00:00 (4 days ago)
Until: 2022-11-02 20:59:59 (*in 392 days*)
New:From: 2021-06-30 21:00:00 (97 days ago)
Until: 2021-11-25 19:59:59 (*in 50 days*)
Fingerprint changed

It looks like they changed their 1yr SSL cert back to their old one with 50 days left after 4 days! The dates and issuer all line up with the old cert. But WHY?

This just happened today!

Can anyone offer an explanation for this? More people need to check out this extension, these certificate changes are so wild and fun to observe!

I hate to get conspiratorial about these things, but these changes are weird, and there are a LOT of them. I wouldn't be posting if I noticed something odd here and there... these certificate changes are WILD and they happen all the time on lots of sites.

Yeah yeah I know "maybe some compatibility error somewhere got noticed after 4 days".


Solution 1:

But what's going on with superuser.com? They changed their cert 70 days early only to give them an extra 20 days? Why do that?

It could be that you're looking at two different servers (load-balanced) which renew their certificates independently from each other.

(The key point here is that the servers renew their own certificates. It's not the sysadmin manually getting a cert and doing the rounds. Thus, different servers might have different certificates, and renew them at different times, and it's not a problem.)

It could also be that the admins did deliberately initiate a renewal, due to the Let's Encrypt validation chain issues from last Friday (e.g. tried to switch to a different chain from the two available, and performing a renewal was the easier way to achieve this rather than manually twiddling with the certs). For example, I know I did use certbot renew --force-renew on my own servers so that Certbot would set up the ISRG-as-root chain instead of the DST-cross-sign one.

My question is more for sites like Google and YouTube and all the Google sites really do this where they are is going nuts it seems, changing them early every month, randomly.

When it comes to Google and YouTube, now you definitely are looking at several different servers handling their own certificates.

From what I remember, Google were in fact the ones pushing for certificate automation long before Let's Encrypt made it happen. They even had articles talking about how they make use of their own CA (GTS) to achieve automatic, short-lived certificates. (I unfortunately cannot find any of those articles anymore.)

They are changing them literally every month

They are. You didn't specify why this is a problem.

I mean, you already have to trust the CA to issue certificates correctly, whether it happens once a week or once a year. You already cannot know whether any given change was legitimate or not.

Whenever you see a sudden cert change, you have no way to distinguish the admin hitting "Force renew" or migrating from old webserver to a new one versus something malicious happening, merely from the fact that the certificate is different. All you're achieving is "alarm fatigue".

Is there something going on in the encryption space where an RSA 4096 isn't good enough for a year anymore?

Revocation, or lack thereof.

For example, it turns out that if a certificate is compromised (say, your webserver got hacked), it is really hard to revoke it reliably. Having browsers periodically download CRLs (revocation lists) of every single CA doesn't work all that well in practice, especially on devices with limited battery life or read-only storage. (As CRLs must continue listing revoked certificates until their natural expiry, they could grow into tens of megabytes!)

Having browsers check with the issuer via OCSP is both a privacy issue and a reliability issue. (Imagine SomeCA getting informed every time anyone visits any site that uses SomeCA. And imagine all those sites becoming inaccessible whenever SomeCA goes down because the revocation check couldn't be performed.) Mozilla tried a centrally aggregated "OneCRL", but while this covers some issues, it doesn't handle the next one.

Another issue is that those certificates don't get revoked when the domains do. Let's say someone got a 3-year certificate for a domain, then a few weeks later sold you the domain. Well, they still have a 3-year certificate for it!

So the general opinion is that certificates just shouldn't last that long to begin with – quite possibly even weeks, not years.

Solution 2:

Today renewing certificates and installing the new versions is often automated. Also, new certificates can be obtained for free from CA like Let's Encrypt. This means there is no significant cost to change certificates often. But renewing certificates long before they expire provides more robustness, because in case something goes wrong one has enough time to fix these problems.

Related

How can I see my mac address on Ubuntu?
Does formatting really remove everything on a physical hard drive?
What are some things to avoid if you want to keep your computer adware/spyware free?
How to write an init script that will execute an existing start script?
Ethernet not working on Ubuntu - Driver r8169: link down
How to set the package selection status to the current status?
Busybox initramfs again and again
After upgrade to 15.10 Wifi to a corporate network (WPA2) is not working anymore
X11 forwarding in SSH
How to enable wireless on Ubuntu Server 18.04 via CLI?
Long boot times on 18.04
Unity not Working 14.04