Hacker News new | ask | show | jobs
by Coxa 2313 days ago
From my understanding of the certificate transparency program does not mitigate the threat of them simply not disclosing a certificate they signed. Ultimately this still gives them MitM capabilities as long as they control the traffic or am I mistaken?
2 comments
DenseComet 2313 days ago
When certificates are submitted to CT logs, they are given Signed Certificate Timestamp by the log, which can be attached to the certificate. Chrome and other major browsers require that every certificate has them attached and signed by a trusted log operator, guaranteeing that each certificate is submitted to a CT log.

https://github.com/chromium/ct-policy/blob/master/ct_policy....

link
Coxa 2313 days ago
Seems like this is currently disabled in Firefox [1]. Do you have any sources for Safari or MS Edge?

[1] https://wiki.mozilla.org/PKI:CT

link
infogulch 2313 days ago
Yes, this property (CAs are capable of creating and signing near-arbitrary certs) is inherent in the concept of Certificate Authorities in general, and the log doesn't automatically fix that because nothing can. But auditors regularly check served certificates against these logs and report unlogged certificates automatically. This can be verified in your browser with things like OCSP stapling.

You may find this useful: http://www.certificate-transparency.org/how-ct-works

link