Collaborate Disseminate
I’ve been reading up on Certificate Transparency (CT), but can’t find anywhere how a client (like a browser) is supposed to check if the certificate is present in any of the certificate transparency logs.
Let’s take Google Chrome as an exa… Continue reading How does the certificate transparency check in Chrome work?
I am familiar with the basics of CT and certificate pinning. However, I’m failing to understand how CT properly replaces pinning in mobile apps in a scenario in which, for example, an attacker steals a device or downloads the application f… Continue reading Understanding Certificate Transparency in Mobile apps and How it Affects Traffic Proxying
A website that I do banking on has a login page on a different subdomain than their main website, and this login page is secured with an Amazon-issued domain-validation certificate (their main website is secured with an extended-validation… Continue reading What are the risks of trusting a certificate that is not logged in CT logs?
Ben Laurie’s original paper on Certificate Transparency proposed that clients (browsers) should "gossip". In particular, it proposed that when a browser connects to a web server, it should send to the server the latest signed tr… Continue reading Are we gossiping in Certificate Transparency?
Most what I read on CT logs is about browsers checking the logs for websites.
But what about normal applications or updates for operating systems (like apt-get over https, windows/osx updates …)
Is checking CT logs mandatory for those t… Continue reading CT logs for non browser applications
How would one go about getting in contact with a popular CT logs operator’s, let’s say Google Pilot, and how would one get a CA root included in their log? Are there open CT logs that allow untrusted roots or don’t have a root system/progr… Continue reading How do you get a CA trusted by Certificate Transparency logs?
How would a CA submit a certificate to Certificate Transparency logs? Preferably Google’s Pilot or Rocketeer CT.
Would one submit via an API, SDK, library? If submitting should it be a render of a certificate (without log extensions) or th… Continue reading Submit a pre certificate to Certificate Transparency logs via APIs?
I’m trying to understand the point of having multiple Certificate Transparency logs. While I understand that it solves the problems of reliability of trust, what baffles me is that so many are operated by the same entity: most notably, Goo… Continue reading Certificate Transparency logs: why are so many operated by same entities and how do they differ?
As many of you know Addtrust certificate https://crt.sh/?id=1 expired 30 May 2020 as well as many other intermediate certs and now we have to update certs on many servers to either root cert https://crt.sh/?id=1199354 or using another chai… Continue reading Why infamous Addtrust certificate is still not expired (same private key) for code signing?
I’ve read several papers that propose different styles of PIR to be used with CT, but I am unable to find any confirmation that any PIR is in fact being used in in CT.
Is my google-fu weak or does CT still compromise privacy by exposing y… Continue reading Does CT use any kind of Private Information Retrieval (PIR)?