|
|
|
|
|
|
by judge2020
1419 days ago
|
|
|
The protection for this is in certificate transparency, as Chrome will throw up a warning if a certificate is valid other than it never showing up in the CT logs. See: https://no-sct.badssl.com/ CAA combined with this CT requirement means that businesses serious about issuance can set up a service to watch CT logs and get notified every time a certificate is issued, so any would-be CA attacker would have to be pretty quick with their attack if they wanted to impersonate fb.com, and that CA would be questioned by the CA/B community pretty quickly for breaking CAA policies. |
|
|