Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'm a little surprised by this. They're using an AWS Certificate which means the entire certificate lifecycle should be fully automated[1]. Assuming they use DNS validation, I speculate that somebody deleted the validation CNAME record and then the doom-and-gloom renewal emails went to an unmonitored mailbox. Then they ignored it so long it ended up on HN.

Gfycat publishes an HSTS header, so they're under _hard_ downtime too.

1: https://docs.aws.amazon.com/acm/latest/userguide/managed-ren...



Most likely someone stopped paying the AWS bill. If you `curl -k` to avoid the HSTS problem you see that CloudFront and/or lambda aren't working either.


Works just fine for me when I bypass HSTS...


An RFC draft I’ve been working on tries to address this somewhat:

https://datatracker.ietf.org/doc/draft-todo-chariton-dns-acc...


they're also HSTS preloaded in https://source.chromium.org/chromium/chromium/src/+/main:net...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: