[rvnx]

Very unlikely in the real world.

Maybe <5% of devops are checking in reality (and this is very generous); even if they watch it is very difficult to spot since the CA is the same, and short-lived certificates (so very normal that they renew).

crt.sh is even answering 502 Bad Gateway, though it's supposed to be the most used tool to check CT logs in the world.

So maybe, true for few paranoid geeks who usually don't have any information of interest anyway, but not for the 99% others.

The big websites are openly sharing data to govs, so they are backdoored by definition, and they don't need to justify anything.

[ayende]

FWIW, I once got a cease and desist letter because "company-xyz" found that we were using a subdomain "company-xyz.customers.our-service.com".

They discovered that because they were monitoring the CT logs. And they were concerned about trademark issues. It ended up being one of the teams in "company-xyz" that had opened an account (under the company name, of course).

But that is just a small note that people _are_ monitoring those.

[ayende]

If you are checking the cert logs, it is a very tiny bit to validate the key as well. If you aren't checking... well, that isn't a concern anyway, now is it?

And the whole _point_ of the cert transparency log is that it only take _one_ such instance to ruin the credibility of a CA.

The fact that you do that in the public, and that it is _forever_, make it very hard to do in the shadows.