[basilikum]

They have the secret of the private keys used to sign certificates.

Looking at LavaBit^1 I really would not be so comfortable. The world and especially the US has not gotten more free since then.

[1]https://en.wikipedia.org/wiki/Lavabit

[tialaramex]

They could mint certificates, for / about any name. But, those certificates won't work in popular applications unless the certificates include proof of logging.

So to be effective this means a hypothetical bad actor (maybe the US government or anybody else) issues bogus certificates, then either logs them - making a permanent record for everybody to see, or also subverts two or more logs, so that they issue bogus proofs.

This is a very expensive one shot attack on whatever the target would be, I guess it's not stupider than "Let's bomb Iran for no good reason" but it's up there.

[basilikum]

For the vast majority of cases, would anyone notice these malicious certificates being created and logged?

[toast0]

I don't subscribe for my personal domains, because who cares, but when I was in charge of certificates for something important I subscribed to notifications from several providers to make sure I didn't miss anything.

I would like to think at least all the high profile destinations have someone watching.

[tialaramex]

What constitutes the "vast majority" ? Periodically I check mine, and I sometimes have reason to check others, I no longer run my own log auditing (I did when I worked somewhere else because it was close to my main field of interest) but other people do.

[basilikum]

How can you check other people's certs? How do you know whether a cert issued is authorized by them or not?

The only one who can check for maliciously published certs is the entity authorized to request them. I think most companies are happy when they manage to have valid, not expired certs and do not care too much about making sure there are not too many of them.

You are right that if the state would start issuing malicious certs en mass that would be found out quickly. But I think very targeted selected operations against entities where they know the entity is unlikely to surveil for unauthorized certs are very much possible.

I'm not arguing for going into conspiratorial thinking and claiming CAs are all compromised and issuing malicious certs all the time. But I do think that it is feasible for states to use CAs under their direct or indirect control to run targeted attacks. I think that is a plausible, serious risk that we do not care enough about and that we should do something about. There is a multitude of precedence starting from LavaBit over the wiretapping of jabber.ru^1, ANOM^2 to CryptoAG^3 that supports this conclusion.

[1]https://notes.valdikss.org.ru/jabber.ru-mitm/ [2]https://en.wikipedia.org/wiki/Operation_Trojan_Shield [3]https://en.wikipedia.org/wiki/Crypto_AG

[tialaramex]

If there's a competent admin or it's just entirely autopilot for some huge generic host you'll see a very boring pattern where there's a cert and then as it gets close to expiring a new cert is issued, e.g. 4-5 days before it expires, or on a Tuesday at about 8am, or whatever - and sure enough you'll see the same pattern in the cert presented when you access their web site.

In these cases it's really obvious if there's anything weird going on. You're correct that we can't know, as a third party why there's something weird. Maybe the server was being replaced and the new server just installed an ACME client and got itself a new cert last Tuesday even though the previous one doesn't expire for weeks. But if there was nothing we don't even need to ask anybody what's up - nothing is.

IMNSHO The statistics don't really work for targeted attacks. The odds you'll get away with it are unknowable and you only have to get unlucky once.

[8organicbits]

> How can you check other people's certs?

There are red flags you can look for, but you need to confirm with the domain owner to be sure. CAA records can tell you what CAs are supposed to issue a certificate. Many companies always use the same CA, so a change to a different one could be suspect.

For the wiretapping scenario, domain verified certificates do not protect against that scenario. If the wiretap has full control of your server's network, then it can issue a certificate of its own. No need to compromise a CA.

[nickf]

For any target of sufficient value that a government would do that, yes. Of course it doesn't happen anyway, because governments don't have some kind of secret access to CAs.