[HN Gopher] Urgent and Important - Rotate Your Amazon RDS, Auror...
___________________________________________________________________
Urgent and Important - Rotate Your Amazon RDS, Aurora, and
DocumentDB Certs
Author : jeffbarr
Score : 74 points
Date : 2020-01-07 17:55 UTC (5 hours ago)
(HTM) web link (aws.amazon.com)
(TXT) w3m dump (aws.amazon.com)
| insomniacity wrote:
| > Regions - Rotation is needed for database instances in all
| commercial AWS regions except Asia Pacific (Hong Kong), Middle
| East (Bahrain), and China (Ningxia).
|
| I wonder why?
|
| Are these CAs subject to... shall we say, additional goverment
| oversight?
| jrockway wrote:
| If the government wants your database, I'm guessing they just
| ask Amazon for a copy. They don't need to break TLS to do that.
| insomniacity wrote:
| Yes, but if they're already in the network (although I've
| nothing to suggest they are), MITMing the database connection
| means they get the data immediately, rather than at the next
| quasi-judicial request.
| jontro wrote:
| It's because those regions were created after the 2019
| certificate was released. Hence there is no 2015 cert for
| those.
| https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Using...
| insomniacity wrote:
| Fair enough - I didn't realise they'd launched regions that
| recently!
| jontro wrote:
| The Ningxia region might not support encryption. That one
| was released in 2017. Unsure about this one.
| jon-wood wrote:
| Yeah, Ningxia is a weird region. It's run under license
| by a Chinese company, and KMS isn't available, which by
| extension means most encryption isn't either since that's
| all built on top of KMS these days.
| Cpoll wrote:
| I wonder why they do that instead of asking for access to
| the private keys.
| Nitramevfank wrote:
| Here's probably a silly question: Shouldn't this work
| automatically? I just assumed they would have an intermediate CA
| or whatever it's called and have that certificate be signed by
| some widely trusted CA.
|
| Or have they done it in a different way for security reasons?
| gramakri wrote:
| Just guessing: maybe this is to avoid breakage if the clients
| have pinned the old certificate.
| jontro wrote:
| For mysql at least you need to specify what CA or cert to
| trust. There is no default CA which mysql will try to use. So
| once a CA expires you will have to rotate it
| koksik202 wrote:
| Great to see Jeff present on Hacker News reminding customers to
| rotate certs
| inopinatus wrote:
| I am ex-AWS (forced out after inadvertently hiring and
| developing the Beast) and therefore qualified to comment.
| There's some mixup here I think, it's James Hamilton that owns
| a ship. Some cynics say that Jeff Bezos started Blue Origin
| just to upstage Hamilton, since Jeff can now say he owns a
| _space_ ship. Even that isn 't true, though. Jeff was just
| trying to earn thrust, as part of a long-term fitness programme
| - I'm sure you've seen the candid images of his guns - to get
| lean and bi curious.
| gamegoblin wrote:
| Jeff Barr, not Jeff Bezos. Jeff Barr runs the AWS blog.
| inopinatus wrote:
| They're different in more ways than you think. Fun fact,
| Jeff Bezos passed on acquiring Whatsapp because he's
| secretly biased against Acton. Talk about getting your
| signals crossed.
___________________________________________________________________
(page generated 2020-01-07 23:00 UTC)