A subdomain for Manjaro Linux recently had an expired TLS certificate. A domain’s certificate becoming expired is a security concern, but I wouldn’t normally go write an article about it. What makes this an exception is that this is at least the fourth time a certificate expired on Manjaro’s domain.
What’s a certificate?
The lock icon in the image above means you’re connecting to a website securely. The traffic between you and the website is encrypted using the HTTPS protocol. Without it, anyone can read the traffic between your computer and the website.
In simple terms, a TLS certificate is like a government-issued piece of identification. The certificate allows you to establish a secure connection. It also proves that you are truly connecting to the intended website instead of a bad actor, with a signature from a verified certificate providing authority. Without a proper certificate, you can’t establish a secure connection and cannot be sure that you are connecting to the real entity.
TLS certificates expire after some time, like how real IDs do. Once they expire, the certificate cannot be trusted and HTTPS cannot be used. To fix this, a website just needs to renew the certificate; fairly similar to how real IDs work.
The Manjaro story
What makes an expired certificate a bad sign for any website is the implication of security standards. If you visit an organization’s website and are greeted by security warnings from the browser, you’re likely not going to proceed further. It gives a bad first impression.
Manjaro is a Linux distribution, so an entire OS. The developers create and maintain a whole operating system, yet can’t even get basic HTTPS connection working on their website. It’s like finding a bank that has no door and stores their cash in glass boxes. You wouldn’t trust a bank like this.
The certificates used by Manjaro are generated by Certbot. Certbot is incredibly popular because you can get certificates for free and automatically renew them with ease. Even I was able to set up Certbot to create and auto-renew certificates in five minutes. The fact that a technology company like Manjaro messed up automatic certificate renewal more than four times is baffling. It’s like saying you woke up late because you forgot to set the alarm and reusing that excuse multiple times. People won’t believe you after the first one.
Implications
So to the end user, what does this mean? Like the bank analogy, Manjaro is effectively not securing the most basic parts of their services. How can you trust a developer that develops an entire operating system if they can’t even get their website to use secure connections? The usage of Certbot makes the story worse, since certificate renewal can easily be automated with it.
The short summary is: avoid Manjaro.
If an OS development team fails to secure their site better than something like mine, that’s a sign that their competency cannot be trusted. There are other reasons why Manjaro is in a grey area for Linux distros, but that’s beyond the scope of this article. If you’re someone who uses Manjaro and wants to move off, I can recommend EndeavourOS from experience. Or just go with vanilla Arch.