Going to be interesting to see how rotten (or not) the CA ecosystem is after Certificate Transparency is mandatory for all certificates. April 30th deadline won't demonstrate much since certificates can be backdated to bypass it. Presumably becomes fully mandatory in ~2 years?
-
-
Replying to @CopperheadOS
Re: backdating, detrust any CA that issues a certificate dated before the domain registration? That would probably catch them all.
2 replies 0 retweets 0 likes -
Replying to @RichFelker
What about existing domains though? Most sites aren't going to bother setting Expect-CT headers and ideally getting Expect-CT pinning in Chromium's database (it would be nice if that was available via https://hstspreload.org ).
2 replies 0 retweets 0 likes -
Replying to @CopperheadOS
The goal isn't to catch domains with backdated certs but to catch CAs issuing them. All it takes is one new domain getting a cert from them for them to get caught.
1 reply 0 retweets 0 likes -
Replying to @RichFelker
Only if you can somehow find the certificate, though. Chromium will reject certificates without CT because it will check for SCTs from either the certificate (seems like this will be the norm), OCSP or TLS extension.
1 reply 0 retweets 0 likes -
Replying to @CopperheadOS @RichFelker
Eventually, once CT is fully mandatory, that means any certificate without SCTs will be rejected. For now, a targeted attack could be done without getting it logged via CT because the certificate can be backdated and Chromium won't know to reject it.
1 reply 0 retweets 0 likes -
Replying to @CopperheadOS
All it needs is someone running a browser extension that submits all certificates seen to CT, right? This is what you'd deploy anyway to catch rogue CAs issuing MITM certificates.
1 reply 0 retweets 0 likes -
Replying to @RichFelker
If they're being specifically targeted, they probably can't submit a certificate though. It could help the health of the ecosystem as a whole to have lots of people submitting to CT but it won't provide the same nice guarantees.
1 reply 0 retweets 0 likes -
Replying to @CopperheadOS @RichFelker
Probably worth noting that Google is submitting certificates they find while crawling the web via CT, but their crawler probably isn't going to find any targeted attacks trying to hide from CT.
2 replies 0 retweets 0 likes
It would find backdated certs though.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.