We — As A Community — Just Aren’t Good At PKI

Are you into cybersecurity? Yes? Can you explain how PKI (public key infrastructure) works? If you can, well done, but for many professionals in cybersecurity, the usage of public key encryption and generally digital certificates is all a bit vague. This is often highlighted by major problems when someone forgets to update a certificate on a key service, which brings down the whole of the infrastructure. To me, the Internet is fundamentally weak for two basic protocols: DNS and PKI. If these were to fail, or a major hack happened, the Internet would effectively shut down.

And, so, for all the silliness in these areas, Mozilla has embarrassed itself with the time-out of a root certificate [here]:

“On March 14, 2025, a root certificate used to verify signed content and add-ons for various Mozilla projects, including Firefox, will expire. Without updating to Firefox version 128 or higher (or ESR 115.13+ for ESR users, including Windows 7/8/8.1 and macOS 10.12–10.14 users), this expiration may cause significant issues with add-ons, content signing and DRM-protected media playback.”

Surely, someone who looks after the company's code and infrastructure must have known that the date of the root certificate was expiring? Well, it happened to Microsoft, too, and where the whole of the Azure Cloud was taken down for a whole day.

It should be remembered that root certificates often have long expiry dates, as they are so crucial as roots of trust on a machine. Here is a list of root certificates for my Windows VM:

With this you can see that there are even some that expire in 2048. If users do not update their browser, there is a risk of security checking not happening, including not getting updates of blocklists for harmful content and certificate revocation lists, and the intermediate certificates signed by the root certificate for these would be invalid.

Conclusions

Go learn how digital certificates and PKI work: https://asecuritysite.com/digitalcert