Going to be interesting to see how rotten (or not) the CA ecosystem is after Certificate Transparency is mandatory for all certificates. April 30th deadline won't demonstrate much since certificates can be backdated to bypass it. Presumably becomes fully mandatory in ~2 years?
Re: backdating, detrust any CA that issues a certificate dated before the domain registration? That would probably catch them all.
-
-
What about existing domains though? Most sites aren't going to bother setting Expect-CT headers and ideally getting Expect-CT pinning in Chromium's database (it would be nice if that was available via https://hstspreload.org ).
-
CAs have been caught doing backdating to work around requirements phased in based on issue date. It will eventually be mandatory for all certificates but until then anyone doing something malicious could seemingly avoid logging that by backdating.
-
BTW, it doesn't seem entirely forbidden for CAs to backdate certificates... in fact, they're explicitly allowed to do it to a minor extent for fudging the initial date by an hour or so to deal with clock skew, etc.
-
The way the CT requirement works isn't just that it's mandatory but that browsers can verify it. For example, Let's Encrypt is fulfilling the requirement by adding SCTs (Signed Certificate Timestamps) to the certificates they issue. Alternatives are via OCSP / TLS extension.
End of conversation
New conversation -
-
-
They're likely looking at that dataset for who to reap lol
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.