Collaborate Disseminate
A website that I do banking on has a login page on a different subdomain than their main website, and this login page is secured with an Amazon-issued domain-validation certificate (their main website is secured with an extended-validation… Continue reading What are the risks of trusting a certificate that is not logged in CT logs?
Ben Laurie’s original paper on Certificate Transparency proposed that clients (browsers) should "gossip". In particular, it proposed that when a browser connects to a web server, it should send to the server the latest signed tr… Continue reading Are we gossiping in Certificate Transparency?
Most what I read on CT logs is about browsers checking the logs for websites.
But what about normal applications or updates for operating systems (like apt-get over https, windows/osx updates …)
Is checking CT logs mandatory for those t… Continue reading CT logs for non browser applications
How would one go about getting in contact with a popular CT logs operator’s, let’s say Google Pilot, and how would one get a CA root included in their log? Are there open CT logs that allow untrusted roots or don’t have a root system/progr… Continue reading How do you get a CA trusted by Certificate Transparency logs?
How would a CA submit a certificate to Certificate Transparency logs? Preferably Google’s Pilot or Rocketeer CT.
Would one submit via an API, SDK, library? If submitting should it be a render of a certificate (without log extensions) or th… Continue reading Submit a pre certificate to Certificate Transparency logs via APIs?
I’m trying to understand the point of having multiple Certificate Transparency logs. While I understand that it solves the problems of reliability of trust, what baffles me is that so many are operated by the same entity: most notably, Goo… Continue reading Certificate Transparency logs: why are so many operated by same entities and how do they differ?
As many of you know Addtrust certificate https://crt.sh/?id=1 expired 30 May 2020 as well as many other intermediate certs and now we have to update certs on many servers to either root cert https://crt.sh/?id=1199354 or using another chai… Continue reading Why infamous Addtrust certificate is still not expired (same private key) for code signing?
I’ve read several papers that propose different styles of PIR to be used with CT, but I am unable to find any confirmation that any PIR is in fact being used in in CT.
Is my google-fu weak or does CT still compromise privacy by exposing y… Continue reading Does CT use any kind of Private Information Retrieval (PIR)?
In the security test report, I have a recommendation to add Expect-CT header to the HTTP response from web application, additionally developers set this to:
Expect-CT: max-age=0, report-uri=
I am not sure if it is a good idea to add this… Continue reading Adding Expect-CT header to HTTP response
We are rolling out a new mobile app. Our security team recommends us to pin the public key in order to avoid MITM. iOS already has CT checks and we can enable that for the Android app as well.
The security team’s arguments for pinning ar… Continue reading HTTP Public Key Pinning vs Certificate Transparency, which is better and why?