[marcosdumay]

How does the MITM victim get a non-MITM connection to the CT logs so they can be sure to get the correct ones?

[vengefulduck]

Browsers enforce that certificates are signed by two independent CT logs. The public keys of which is shipped by the browser. So a MITM would need to compromise a trusted CA and two CT logs to be able to pull off an attack undetected. Maybe not impossible but much more difficult than just a single CA compromise.

[dist-epoch]

By using pinned certificates which are hardcoded into all the major browsers.

[therein]

Yeah for some reason I don't feel confident about Mogadishu Internet Trust Corp and many others.