Going to be interesting to see how rotten (or not) the CA ecosystem is after Certificate Transparency is mandatory for all certificates. April 30th deadline won't demonstrate much since certificates can be backdated to bypass it. Presumably becomes fully mandatory in ~2 years?
The goal isn't to catch domains with backdated certs but to catch CAs issuing them. All it takes is one new domain getting a cert from them for them to get caught.
-
-
Only if you can somehow find the certificate, though. Chromium will reject certificates without CT because it will check for SCTs from either the certificate (seems like this will be the norm), OCSP or TLS extension.
-
Eventually, once CT is fully mandatory, that means any certificate without SCTs will be rejected. For now, a targeted attack could be done without getting it logged via CT because the certificate can be backdated and Chromium won't know to reject it.
-
All it needs is someone running a browser extension that submits all certificates seen to CT, right? This is what you'd deploy anyway to catch rogue CAs issuing MITM certificates.
-
If they're being specifically targeted, they probably can't submit a certificate though. It could help the health of the ecosystem as a whole to have lots of people submitting to CT but it won't provide the same nice guarantees.
-
Probably worth noting that Google is submitting certificates they find while crawling the web via CT, but their crawler probably isn't going to find any targeted attacks trying to hide from CT.
-
It would find backdated certs though.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.