Going to be interesting to see how rotten (or not) the CA ecosystem is after Certificate Transparency is mandatory for all certificates. April 30th deadline won't demonstrate much since certificates can be backdated to bypass it. Presumably becomes fully mandatory in ~2 years?
All it needs is someone running a browser extension that submits all certificates seen to CT, right? This is what you'd deploy anyway to catch rogue CAs issuing MITM certificates.
-
-
If they're being specifically targeted, they probably can't submit a certificate though. It could help the health of the ecosystem as a whole to have lots of people submitting to CT but it won't provide the same nice guarantees.
-
Probably worth noting that Google is submitting certificates they find while crawling the web via CT, but their crawler probably isn't going to find any targeted attacks trying to hide from CT.
-
It would find backdated certs though.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.