What prevents certificate authorities from issuing fraudulent TLS certificates?

There have been reports of attacks against certificate authorities resulting in the issuance of fraudulent TLS certificates for sites such as google.com, yahoo.com, and skype.com. These attacks seem to be a thing of the past though, and I … Continue reading What prevents certificate authorities from issuing fraudulent TLS certificates?

How does Certificate Transparency protect from hacked CA server [duplicate]

I was able to grasp how CT works by reading this explanation, but one thing remains unclear for me – how CT may protect ecosystem from hacked CA server. For example, someone hacked Digicert, and now from it behaves issues EV or regular cer… Continue reading How does Certificate Transparency protect from hacked CA server [duplicate]

How does Certificate Transparency protect from hacked CA server [duplicate]

I was able to grasp how CT works by reading this explanation, but one thing remains unclear for me – how CT may protect ecosystem from hacked CA server. For example, someone hacked Digicert, and now from it behaves issues EV or regular cer… Continue reading How does Certificate Transparency protect from hacked CA server [duplicate]

How to create and embed Signed Certificate Timestamp (SCT) in certificate

I have deployed a Certificate Transparency (CT) log server that uses Google’s CTFE (named "certificate-transparency-go" on Github) and Trillian Projects. And I have issued a pre-certificate, submitted to my own CT log server.
I h… Continue reading How to create and embed Signed Certificate Timestamp (SCT) in certificate

Comparing ACME client logs against Certificate Transparency logs

Inspired by this comment from Can DDNS provider perform a MITM attack?, I was wondering if there is an automated way to check the Certificate Transparency logs for malicious/unexpected certificates.
For example, if I run some ACME client o… Continue reading Comparing ACME client logs against Certificate Transparency logs

What is expected of domain owners in the Certificate Transparency system?

As I understand it, Certificate Transparancy provides proof to the client that the presented certificate is publicly accessible in CT logs. The certificate being in the logs enables a domain owner to detect that a certificate has been issu… Continue reading What is expected of domain owners in the Certificate Transparency system?