Security Now 1060: “3-Day Certificates”
Date: January 14, 2026
Hosts: Steve Gibson & Leo Laporte
Podcast: TWiT.tv – Security Now
Overview
This episode dives deep into recent changes in code signing, particularly the introduction of ultra-short-lived (three-day) certificates as part of Microsoft’s Azure Cloud code-signing service. Steve and Leo discuss rising certificate authority costs, developer frustrations, phishing, California’s new Drop privacy law, AI advancements (especially for coding), and relevant listener feedback. The discussion balances technical detail with relatable real-world impact, especially for developers and security-conscious listeners.
Key Topics & Discussion Points
1. Code Signing Gone “Crazy”: Steve’s Phishing Mishap
Timestamps: 01:17–07:45
- Both Steve and Leo share recent experiences with phishing texts—shockingly, Steve himself fell for a T-Mobile-themed scam, entering his info on a fake site and going through three credit cards before noticing.
- Takeaway: Even seasoned experts can get caught off-guard by social engineering combined with legitimate-looking, urgent texts.
Memorable Quotes:
- “I got had and I got some insight from it. It wasn’t a complete waste of three credit cards.” —Steve Gibson [02:03]
- “Legitimate companies need to stop [promotional texting] because it sets users up for phishing that looks exactly the same.” —Steve Gibson [02:35]
2. The Growing Code Signing Crisis
Timestamps: 15:35–39:20
a. Rising Costs and Complexity
Steve shares a detailed blog post from Rick Strahl, echoing widespread developer frustration with:
- Certificate lifetimes drastically reduced (sometimes to three days).
- End of exportable local certificates: now must be HSM or cloud-resident.
- Costs skyrocketing (from ~$180/3yr to $350–$1,000/year for the same capabilities).
- Cumbersome, confusing Azure configuration experiences; Microsoft's pricing is “least bad,” but the process is "way harder than it should have been."
Memorable Quotes:
- “It all seems like a huge grift... This isn’t about security, it’s about gatekeeping and just one more hurdle for a small business.” —Rick Strahl, via Steve [17:54]
- “But it wouldn’t be Azure if you weren’t cursing the thing every step of the way...” —Rick Strahl [31:57]
b. How Short-Lived Certificates Actually Work
- Microsoft’s certificates ("3-day certificates") rotate every few days—a mechanism meant for fast revocation in case of compromise.
- Azure’s pricing is the most reasonable compared to competitors ($9.99/month for 5,000 signatures, $99.99/month for 100,000, with small overage fees).
- However, complexity and lack of good tools/documentation remain barriers.
3. Code Signing Certificate Short Lifetimes: What Does it Mean?
Timestamps: 142:34–160:10
- Key Insight: For code signing, it only matters that the certificate is valid at the time of signing—not afterward (unlike TLS certificates, which must always be valid at use time).
- Timestamp Authorities (TSAs): Critical to the process, TSA applies a verifiable timestamp at the moment of signing, proving the code was signed when the certificate was valid. As a result, three-day certs are possible: the signature and TSA record lock in the code’s validity.
- Real-World Example: Logitech faced issues after an internal certificate suddenly expired and broke their Mac software, possibly due to hitting this new expiration reality or failing to use timestamping.
- GRC’s code remains valid years after its certificate expired because timestamping was properly applied at the outset.
Memorable Quotes:
- “The only requirement is that the certificate is valid at the time of its use. In the case of code signing, that means valid at signing—period.” —Steve Gibson [147:00]
- “Technically, your cert could be as short as an hour... but there’s overhead in making them.” —Steve Gibson [147:50]
4. California’s “Drop” Law: Data Broker Opt-Out Process
Timestamps: 44:41–70:39
- Drop = Delete Request and Opt-Out Platform: New California law lets residents submit a one-stop global request for all registered data brokers to delete and stop selling their data.
- Process: Requires identity verification (login.gov etc.), detailed entry of personal info to maximize the chance of records being deleted.
- Skepticism: Unclear enforcement, waiting period until August for any action, possible lobbying delays, relatively small percentage of the public will likely use it.
- Both hosts try the service. Steve discovers 170 brokers listed for him; Leo only has 89, fueling suspicions about completeness.
Memorable Quotes:
- “It initially felt counterintuitive to provide such a wealth of personal information to ensure that data is no longer tracked... But all that data is already compromised as it sits in online databases.” —Steve Gibson quoting Dan Goodin [61:45]
- “It's probably worth it. We'll see. I'll watch with interest, but I don't have high hopes.” —Leo Laporte [69:40]
5. AI in Coding: The Rise of “Claude Code”
Timestamps: 92:00–114:34
- Both Steve and Leo rave about the recent advances in AI coding tools, particularly Anthropic's Claude Code.
- Notable Experiences:
- Leo creates a terminal RSS reader in Rust using Claude Code, adding features simply by prompting the tool in natural language (see detailed demo [103:35–112:18]).
- Code was written, debugged, and packaged with minimal manual intervention, including CI/CD GitHub Actions.
- Discussion of the broader implications: AI coding tools now empower even "non-coders" (via resources like “Build with Andrew” [GRC.sc/andrew]).
Memorable Quotes:
- “I pointed [Claude Code] at my repo and the rest is history... Working part-time over the last few months, I’m close to having a first version done.” —Listener Al Liebel [94:54]
- “I really feel like we have turned a corner in AI in general, but especially coding.” —Leo Laporte [98:44]
- “A lot of the stuff that’s just kind of rote, you don’t need a code monkey for anymore. You just have Claude do it...” —Leo Laporte [112:24]
- “This is massively better. And so many people are now into this that there’s a lot of resources. There’s a wonderful GitHub [‘awesome Claude’]...” —Leo Laporte [113:33]
6. iOS Email App Quest and Other Musings
Timestamps: 78:33–92:00
- Steve’s tale: iOS’s built-in mail app was causing server crashes due to IMAP mishandling. Switching to EM Client’s free iOS app solved his issues and provided a better user experience, especially with seamless QR-based configuration cloning from desktop to mobile.
- Shout-out to listeners for their feedback on magnesium, vitamins, and book/TV series recommendations (Lazarus Project, For All Mankind).
- Notable banter about device preferences (OLED iPads, Mac Mini confusion).
7. Listener Feedback & the CA Economic Grift
Timestamps: 115:30–141:16
- Several enterprise users complain about the “grifting” of CAs: per-signature fees, cloud lock-in, expensive/complex key management solutions, and the lack of affordable options for small developers.
- Steve discusses why starting a new CA is so difficult. Let’s Encrypt’s root trust “bootstrapping” method explained.
- Listener Q: Do short-lived certs mean software with perpetual licenses will someday just stop working?
- Steve: No, if timestamping is done correctly at signing, signatures remain valid after the cert expires.
Memorable Quotes:
- “Certificate authorities have the entire software industry over a barrel and there’s nothing we can do about it.” —Listener TJ Asher [115:40]
- “With the right to print money comes the burden of being very careful whose certificates are signed and thus trusted.” —Steve Gibson [128:10]
Notable Quotes & Memorable Moments
- “It all seems like a huge grift. This isn’t about security, it’s about gatekeeping...” —Rick Strahl (via Steve Gibson) [19:28]
- “But it wouldn’t be Azure if you weren’t cursing the thing every step of the way.” —Rick Strahl [31:43]
- “With short-lived certificates and timestamping, the code’s signature is forever valid so long as the code hasn’t changed—no matter when the actual certificate expired.” —Steve Gibson [147:50]
- “I really feel like we’ve turned a corner in AI—at least for coders, the productivity jump is stunning.” —Leo Laporte [98:44]
- “It’s okay to admit even I can be vulnerable to a good phishing attack.” —Steve Gibson [06:41]
Important Segments & Timestamps
| Topic | Start | End | |----------------------------------|--------|--------| | Steve’s phishing experience | 01:17 | 07:45 | | Code signing “crazy”/Rick Strahl | 15:35 | 39:20 | | Microsoft’s 3-day code signing | 142:34 | 160:10 | | California Drop Law | 44:41 | 70:39 | | Claude Code & AI for coding | 92:00 | 114:34 | | Listener feedback (CA grift etc) | 115:30 | 141:16 |
Summary Table: Cloud Code Signing & Short Certificates
| Solution | Pricing | Signature Lifetime | Complexity | |----------------------|---------------------------|----------------------|----------------------| | Microsoft Azure | $9.99/mo (5,000 signs/mo) | 3 days (renewable) | Setup: High, Tooling: Poor | | Legacy CAs (SSL.com) | $300+/yr for 3yr cert | 1-3 years | HSM/dongle required |
Conclusion
Takeaways:
- The certificate authority industry is leveraging new technical requirements to extract higher fees and create developer pain points.
- Microsoft’s Azure 3-day certificate model—enabled via timestamp authorities—provides timely signatures with reasonable pricing but poor developer UX.
- Proper timestamping means that as long as the code was signed while the certificate was valid, its signature remains valid after the cert itself expires.
- AI tools like Claude Code are drastically shifting how individuals and teams write software—potentially transforming who can “be a programmer.”
- California’s Drop law is a big deal for privacy advocates, but skepticism remains regarding practical effectiveness and enforcement.
Closing Memory: “With all these artificial roadblocks, you can't help but feel there’s less and less joy about how computing used to ‘just work’. Now the barriers seem designed to wring every cent from developers, not really protect end-users.” —Listener comment [33:57]
For those wanting to dive into the specifics:
- Rick Strahl’s blog on Azure Signing: GRC.sc/codesign
- Build with Andrew (30-min coding-for-non-coders course): GRC.sc/andrew
- California Drop Law info: consumer.drop.privacy.ca.gov
This episode embodies Security Now’s “sage, slightly cranky but always insightful” tone—full of practical advice for devs, security pros, and everyday users alike facing today’s increasingly gatekept technology landscape.