[HN Gopher] Urgent and Important - Rotate Your Amazon RDS, Auror... ___________________________________________________________________ Urgent and Important - Rotate Your Amazon RDS, Aurora, and DocumentDB Certs Author : jeffbarr Score : 74 points Date : 2020-01-07 17:55 UTC (5 hours ago) (HTM) web link (aws.amazon.com) (TXT) w3m dump (aws.amazon.com) | insomniacity wrote: | > Regions - Rotation is needed for database instances in all | commercial AWS regions except Asia Pacific (Hong Kong), Middle | East (Bahrain), and China (Ningxia). | | I wonder why? | | Are these CAs subject to... shall we say, additional goverment | oversight? | jrockway wrote: | If the government wants your database, I'm guessing they just | ask Amazon for a copy. They don't need to break TLS to do that. | insomniacity wrote: | Yes, but if they're already in the network (although I've | nothing to suggest they are), MITMing the database connection | means they get the data immediately, rather than at the next | quasi-judicial request. | jontro wrote: | It's because those regions were created after the 2019 | certificate was released. Hence there is no 2015 cert for | those. | https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Using... | insomniacity wrote: | Fair enough - I didn't realise they'd launched regions that | recently! | jontro wrote: | The Ningxia region might not support encryption. That one | was released in 2017. Unsure about this one. | jon-wood wrote: | Yeah, Ningxia is a weird region. It's run under license | by a Chinese company, and KMS isn't available, which by | extension means most encryption isn't either since that's | all built on top of KMS these days. | Cpoll wrote: | I wonder why they do that instead of asking for access to | the private keys. | Nitramevfank wrote: | Here's probably a silly question: Shouldn't this work | automatically? I just assumed they would have an intermediate CA | or whatever it's called and have that certificate be signed by | some widely trusted CA. | | Or have they done it in a different way for security reasons? | gramakri wrote: | Just guessing: maybe this is to avoid breakage if the clients | have pinned the old certificate. | jontro wrote: | For mysql at least you need to specify what CA or cert to | trust. There is no default CA which mysql will try to use. So | once a CA expires you will have to rotate it | koksik202 wrote: | Great to see Jeff present on Hacker News reminding customers to | rotate certs | inopinatus wrote: | I am ex-AWS (forced out after inadvertently hiring and | developing the Beast) and therefore qualified to comment. | There's some mixup here I think, it's James Hamilton that owns | a ship. Some cynics say that Jeff Bezos started Blue Origin | just to upstage Hamilton, since Jeff can now say he owns a | _space_ ship. Even that isn 't true, though. Jeff was just | trying to earn thrust, as part of a long-term fitness programme | - I'm sure you've seen the candid images of his guns - to get | lean and bi curious. | gamegoblin wrote: | Jeff Barr, not Jeff Bezos. Jeff Barr runs the AWS blog. | inopinatus wrote: | They're different in more ways than you think. Fun fact, | Jeff Bezos passed on acquiring Whatsapp because he's | secretly biased against Acton. Talk about getting your | signals crossed. ___________________________________________________________________ (page generated 2020-01-07 23:00 UTC)