[akerl_]

I'm not sure why you're so fixated on this idea of client systems monitoring CT logs.

Operators who host infrastructure can and should be monitoring issuance in CT logs for domains they operate, which will allow them to identify and react to any unexpected issuance for those domains.

[matthew9219]

In the attack DNSSec prevents, a client is compromised by a cert that doesn't appear in the CT logs, so infrastructure monitoring is irrelevant.

[mjg59]

Most browsers will reject such a certificate. See https://googlechrome.github.io/CertificateTransparency/ct_po... for the policy Chrome imposes - my understanding is that Safari is broadly similar. Right now I don't think Firefox performs this validation, so this is possible if you know in advance that your target runs Firefox.

[matthew9219]

That page explains that Chrome (which is best in class here - most IOT devices don't do any of this stuff) fails open:

> If the installed version of Chrome has not applied security updates and has been unable to obtain an updated CT log list from the Component Updater for 70 days or more, then CT enforcement will be disabled.

That means a global adversary need merely block the update channel to targeted devices and wait. How will a Smart TV behave?

[mjg59]

You're moving the goalposts to a ridiculous degree. Chrome will be incredibly angry at you if you haven't updated in 70 days. How will a smart TV behave? I've no idea. It's probably not paying any attention to dnssec (otherwise pihole and co wouldn't work), so I don't think you're presenting a credible alternative.

[matthew9219]

That's just not what's happening. Reread the conversation. I started from here:

> Certificate transparency is cool, but it's not clear it really works for many classes of devices

Smart TVs aren't some gotcha I'm throwing in at the end. It's literally the first thing I said about CT. CT works ok for mobile phones, laptops, and other devices where you can make certain assumptions about multiple networks and frequent updates. If you want a technology that doesn't require these assumptions, you want DNSSec.

[mjg59]

Once you've got a 70 day old browser you're just waiting for it to hit one domain you can MITM or serve content from and then you've got arbitrary code execution and who cares whether dnssec is involved or not. Attacking CT is just not the threat model to be concerned about.