[Deathmax]

> In my opinion, most of the governments must have obtained access to numerous Certificate Authority private keys by now. As a result, they would not only be logging DNS records but also the entire unencrypted data transfer.

Certificate Transparency ensures that having control over a Certificate Authority's private keys doesn't allow for undetectable MITM attacks since both Chrome [1] and Apple (Safari) [2] will not trust certificates that have not been submitted to CT logs and stamped as such. If a government attempts to issue a trusted certificate using a CA they control, it will be logged. You can't passively decrypt TLS connections with just access to a CA's private keys since those aren't the keys involved in communication, or even the server's private key due to forward secrecy (assuming modern TLS configs).

[1]: https://groups.google.com/a/chromium.org/g/ct-policy/c/wHILi...

[2]: https://support.apple.com/en-gb/HT205280

[vlod]

For those interested in CTLogs [0].

FTL:

>Firefox does not currently check or require the use of CT logs for sites that users visit.

Uggh... Anyone know why? Seems sensible to check.

[0]: https://developer.mozilla.org/en-US/docs/Web/Security/Certif...

[GauntletWizard]

Checking certificates requires that either a) The user have a complete set of CT Logs to check against or b) The user makes a request of a third-party server to verify the certificate. "a" is disk space and download uneconomical, "b" is a privacy concern. Mozilla has decided that it's value is not worth the privacy risk of yet. Time will tell if that's the correct answer; Chrome and Safari are likely enough to keep the CAs honest.

[Deathmax]

From what I understand, checking that a certificate has been submitted to CT logs should not have privacy implications, only trust in a set of CT logs and their public keys to be able to verify Signed Certificate Timestamps (SCTs). SCTs can be distributed in one of 3 ways:

1. Embedded in the certificate itself - no communication with a third-party

2. Distributed via TLS extension - no communication with a third-party

3. OCSP stapling - the server is the party that initiates a connection with the CA, the client doesn't touch the CA

You only need the complete set of CT logs if you want to verify the logs have not been tampered with.

[GauntletWizard]

Lipstick on a pig. OCSP Stapling is a complicated and convoluted override for certificate lifetimes that should never be used and isn't in practice. All three are just different chains to the same CA organizations (in practice), which could just as easily maintain two sets of CT logs.

I should get around to making an "Evil-CA" software that explicitly maintains those two logs.