home.social

#certificatetransparency — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #certificatetransparency, aggregated by home.social.

  1. Just learned that Certificate Transparency logs are a thing... I hate it. One day, and a private subdomain is crawled by AI scrapers. These bas***ds...

    At least some of them are being trapped by iocaine

    #LetsEncrypt #CertificateTransparency #FckAI #FuckLLMs #caddy #iocaine

  2. Just learned that Certificate Transparency logs are a thing... I hate it. One day, and a private subdomain is crawled by AI scrapers. These bas***ds...

    At least some of them are being trapped by iocaine

    #LetsEncrypt #CertificateTransparency #FckAI #FuckLLMs #caddy #iocaine

  3. Just learned that Certificate Transparency logs are a thing... I hate it. One day, and a private subdomain is crawled by AI scrapers. These bas***ds...

    At least some of them are being trapped by iocaine

    #LetsEncrypt #CertificateTransparency #FckAI #FuckLLMs #caddy #iocaine

  4. Just learned that Certificate Transparency logs are a thing... I hate it. One day, and a private subdomain is crawled by AI scrapers. These bas***ds...

    At least some of them are being trapped by iocaine

    #LetsEncrypt #CertificateTransparency #FckAI #FuckLLMs #caddy #iocaine

  5. Just learned that Certificate Transparency logs are a thing... I hate it. One day, and a private subdomain is crawled by AI scrapers. These bas***ds...

    At least some of them are being trapped by iocaine

    #LetsEncrypt #CertificateTransparency #FckAI #FuckLLMs #caddy #iocaine

  6. Today I published an update on the #Canonical supported #upki project, which brings browser-grade Public Key Infrastructure to Linux through the efficient #CRLite data format, with the core revocation engine now functional and available to test!

    Beyond current progress, this post explores broader integration, performance, and future capabilities like Certificate Transparency enforcement and Merkle Tree.

    This is all part of the effort to increase the resilience of #Ubuntu machines by default, but I hope it has a wider benefit on the Linux ecosystem going forward!

    discourse.ubuntu.com/t/77063

    #CertificateTransparency #PKI #Cryptography

  7. Today I published an update on the #Canonical supported #upki project, which brings browser-grade Public Key Infrastructure to Linux through the efficient #CRLite data format, with the core revocation engine now functional and available to test!

    Beyond current progress, this post explores broader integration, performance, and future capabilities like Certificate Transparency enforcement and Merkle Tree.

    This is all part of the effort to increase the resilience of #Ubuntu machines by default, but I hope it has a wider benefit on the Linux ecosystem going forward!

    discourse.ubuntu.com/t/77063

    #CertificateTransparency #PKI #Cryptography

  8. Today I published an update on the supported project, which brings browser-grade Public Key Infrastructure to Linux through the efficient data format, with the core revocation engine now functional and available to test!

    Beyond current progress, this post explores broader integration, performance, and future capabilities like Certificate Transparency enforcement and Merkle Tree.

    This is all part of the effort to increase the resilience of machines by default, but I hope it has a wider benefit on the Linux ecosystem going forward!

    discourse.ubuntu.com/t/77063

  9. Today I published an update on the #Canonical supported #upki project, which brings browser-grade Public Key Infrastructure to Linux through the efficient #CRLite data format, with the core revocation engine now functional and available to test!

    Beyond current progress, this post explores broader integration, performance, and future capabilities like Certificate Transparency enforcement and Merkle Tree.

    This is all part of the effort to increase the resilience of #Ubuntu machines by default, but I hope it has a wider benefit on the Linux ecosystem going forward!

    discourse.ubuntu.com/t/77063

    #CertificateTransparency #PKI #Cryptography

  10. Today I published an update on the #Canonical supported #upki project, which brings browser-grade Public Key Infrastructure to Linux through the efficient #CRLite data format, with the core revocation engine now functional and available to test!

    Beyond current progress, this post explores broader integration, performance, and future capabilities like Certificate Transparency enforcement and Merkle Tree.

    This is all part of the effort to increase the resilience of #Ubuntu machines by default, but I hope it has a wider benefit on the Linux ecosystem going forward!

    discourse.ubuntu.com/t/77063

    #CertificateTransparency #PKI #Cryptography

  11. Eric Brandes dropped Part 2 of our CT logs series. The performance gap is staggering.

    Tiled logs: 100M+ records/day
    RFC 6962: Low millions (with throttling)

    Google throttles hard. Cloudflare's Nimbus is decent. Let's Encrypt's tiled logs absolutely fly.

    Post includes working Golang code for both log types. Real implementations, not theory.

    certkit.io/blog/searching-ct-l

    #CertificateTransparency #PKI

  12. Certificate Transparency logs hold billions of certificates but searching them is brutal. crt.sh is slow, truncates results, and crashes constantly.

    We built a better CT search tool at CertKit (free to use). Part 1 of my series explains why CT exists (DigiNotar hack), how it works, and the insane scale (96M certs/week).

    certkit.io/blog/searching-ct-l

    #CertificateTransparency #InfoSec

  13. First I must underline that this is all speculation and I have no proof of the attack described here being implemented in practice.

    I firmly believe too much trust is placed on the effectiveness of certificate transparency to protect against state actors.

    Much focus has been placed on the fact that certificate transparency is supposedly geographically and jurisdictionally distributed and could not be defeated by a single state. Unfortunately, the monoculture of Chromium-based browsers means that a single point of failure now exists, easily tampered with by a single jurisdiction: the USA.

    From checking I've done so far, it seems that most Chromium-based browsers use the Google-generated "PKI Metadata" package as is. This would include browsers such as:
    - Google Chrome
    - Microsoft Edge
    - Vivaldi Browser
    - Brave Browser

    Assuming the actor would have ability to sign malicious "PKI Metadata" update, this would mean that the actor would also have the ability to disable certificate transparency by targeting the periodic "PKI Metadata" update performed by the Chromium component updater.

    In practice the attack would replace the "ct_config.pb" file with one that lists fake servers that are all in control of the attacker and that would provide a fake Merkle tree against which a crafted certificate would then validate. No collusion by the CT log providers are required as the actual list is replaced by malicious one. Once done, the actor who has the ability to issue otherwise trusted certificates can bypass certificate transparency and quietly get MiTM performed. In effect, CT validation would still happen, but it would be performed against infrastructure fully controlled by the attacker. Notably to implement this attack no changes to Chromium source code or binaries would be required, only the component updater signing key would need to be made available to the actor.

    I am not claiming that Google would necessarily be doing something like this, or that they would be doing this willingly. The United States law, however, has binding clauses that require US companies to cooperate to provide lawful access. Notably, this law also specifically only protects US citizens, and everyone else can be targeted freely. This is why Certificate Transparency was planned to be distributed between multiple jurisdictions to begin with.

    Apple and Mozilla manage their certificate transparency log lists separately. Thus, they're outside of this single point of failure, at least. This doesn't necessarily mean they would be unaffected by similar lawful access requirements, however.

    Having laid out the problem, is there anything that could be done to improve the situation? What should parties using Chromium do to rectify this situation and limit the potential impact from such malicious "PKI Metadata" updates?

    I suggest that browser manufacturers that take security seriously stop blindly trusting Google to deliver "PKI Metadata" updates. Rather, they should set up infrastructure of their own that delivers this (and potentially other?) component updates. The service would then add an extra layer of validation, where the Google-provided update is verified (by automation and potentially manual means) before being repackaged and signed with their own trust root.

    Of course, this method isn't bulletproof either, as these individual signing parties could then be targeted by the state actor. However, it would be a far better situation than trusting a single company in a single jurisdiction for this certificate transparency list.

    In the end you need to trust something at some point. I would like to place my trust on something else than good will of US government.

    #privacy #certificatetransparency #chromium #bravebrowser #vivaldi #ctlogs

  14. #CertificateTransparency (CT) creates public, append-only logs of every TLS certificate issued, helping detect rogue or mistaken certificates.

    Learn how CT has 𝐭𝐫𝐚𝐧𝐬𝐟𝐨𝐫𝐦𝐞𝐝 𝐢𝐧𝐭𝐞𝐫𝐧𝐞𝐭 𝐏𝐊𝐈: bit.ly/4gkK72Y

    📰 Read now!

    #DevOps #CloudSecurity #Encryption #Cryptography #InfoQ

  15. #Heise:
    "
    "Passwort" Folge 40: Probleme mit Widerrufen, Verbindungsabbrüchen und anderem

    Eine pickepackevolle Folge, gefüllt unter anderem mit kundigem Exploitbau unter Linux, einem HTTP2-DoS und millionenfachen Zertifikatsrückrufen von Microsoft.
    "
    heise.de/news/Passwort-Folge-4

    mp3: audio.podigee-cdn.net/2098722-

    10.9.2025

    Aaaa.. MS..

    #CA #CertificateTransparency #Chrome #LetsEncrypt #Microsoft #MS #PKI #TLSZertifikat #WebPKI #Zertifikat

  16. #Heise:
    "
    "Passwort" Folge 40: Probleme mit Widerrufen, Verbindungsabbrüchen und anderem

    Eine pickepackevolle Folge, gefüllt unter anderem mit kundigem Exploitbau unter Linux, einem HTTP2-DoS und millionenfachen Zertifikatsrückrufen von Microsoft.
    "
    heise.de/news/Passwort-Folge-4

    mp3: audio.podigee-cdn.net/2098722-

    10.9.2025

    Aaaa.. MS..

    #CA #CertificateTransparency #Chrome #LetsEncrypt #Microsoft #MS #PKI #TLSZertifikat #WebPKI #Zertifikat

  17. #Heise:
    "
    "Passwort" Folge 40: Probleme mit Widerrufen, Verbindungsabbrüchen und anderem

    Eine pickepackevolle Folge, gefüllt unter anderem mit kundigem Exploitbau unter Linux, einem HTTP2-DoS und millionenfachen Zertifikatsrückrufen von Microsoft.
    "
    heise.de/news/Passwort-Folge-4

    mp3: audio.podigee-cdn.net/2098722-

    10.9.2025

    Aaaa.. MS..

    #CA #CertificateTransparency #Chrome #LetsEncrypt #Microsoft #MS #PKI #TLSZertifikat #WebPKI #Zertifikat

  18. #Heise:
    "
    "Passwort" Folge 40: Probleme mit Widerrufen, Verbindungsabbrüchen und anderem

    Eine pickepackevolle Folge, gefüllt unter anderem mit kundigem Exploitbau unter Linux, einem HTTP2-DoS und millionenfachen Zertifikatsrückrufen von Microsoft.
    "
    heise.de/news/Passwort-Folge-4

    mp3: audio.podigee-cdn.net/2098722-

    10.9.2025

    Aaaa.. MS..

    #CA #CertificateTransparency #Chrome #LetsEncrypt #Microsoft #MS #PKI #TLSZertifikat #WebPKI #Zertifikat

  19. #Heise:
    "
    "Passwort" Folge 40: Probleme mit Widerrufen, Verbindungsabbrüchen und anderem

    Eine pickepackevolle Folge, gefüllt unter anderem mit kundigem Exploitbau unter Linux, einem HTTP2-DoS und millionenfachen Zertifikatsrückrufen von Microsoft.
    "
    heise.de/news/Passwort-Folge-4

    mp3: audio.podigee-cdn.net/2098722-

    10.9.2025

    Aaaa.. MS..

    #CA #CertificateTransparency #Chrome #LetsEncrypt #Microsoft #MS #PKI #TLSZertifikat #WebPKI #Zertifikat

  20. On August 20, @letsencrypt switched certificate issuance to use intermediate certificates R12 and R13, retiring the use of R10 and R11. The shift is clearly visible in our #certificatetransparency graphs, starting ~18:00 UTC.

    radar.cloudflare.com/certifica

    community.letsencrypt.org/t/sw

  21. 😆 So, you're telling me that running a Certificate Transparency log is the secret sauce to keeping the web from collapsing like a poorly set-up game of Jenga? 🤔 Let's all just casually assume every basement-dweller with a homelab is itching to become the digital savior of the internet. 🏆
    words.filippo.io/run-sunlight/ #CertificateTransparency #InternetSafety #DigitalSaviors #HomelabHeroes #WebSecurity #HackerNews #ngated

  22. 😆 So, you're telling me that running a Certificate Transparency log is the secret sauce to keeping the web from collapsing like a poorly set-up game of Jenga? 🤔 Let's all just casually assume every basement-dweller with a homelab is itching to become the digital savior of the internet. 🏆
    words.filippo.io/run-sunlight/ #CertificateTransparency #InternetSafety #DigitalSaviors #HomelabHeroes #WebSecurity #HackerNews #ngated

  23. 😆 So, you're telling me that running a Certificate Transparency log is the secret sauce to keeping the web from collapsing like a poorly set-up game of Jenga? 🤔 Let's all just casually assume every basement-dweller with a homelab is itching to become the digital savior of the internet. 🏆
    words.filippo.io/run-sunlight/ #CertificateTransparency #InternetSafety #DigitalSaviors #HomelabHeroes #WebSecurity #HackerNews #ngated

  24. 😆 So, you're telling me that running a Certificate Transparency log is the secret sauce to keeping the web from collapsing like a poorly set-up game of Jenga? 🤔 Let's all just casually assume every basement-dweller with a homelab is itching to become the digital savior of the internet. 🏆
    words.filippo.io/run-sunlight/ #CertificateTransparency #InternetSafety #DigitalSaviors #HomelabHeroes #WebSecurity #HackerNews #ngated

  25. Guess where the appmattus/certificatetransparency code was originally made: your favourite late-stage capitalism digital "health" (IE, death) platform provider;

    To quote mattmook:
    "Originally the project was born out of the company Babylon Health".

    #certificateTransparency

  26. Furthermore produced software artifacts proofs are written into a database similar to #certificateTransparency.

    We have recently implemented this in #PrivateBin and it works great: github.com/PrivateBin/PrivateB

    Of course practically, people (especially software consumers) needed to verify it, to be worth the work.

    Obviously, it's no magic bullet. It just raises the burden for an attacker. Obviously, the source code repo could be made to contain bad code, but you cannot anymore tamper at built-time.

  27. Anyone else just getting 502s when using crt.sh, searching for CT logs on domain names?

    The index page works, although I'd argue with degraded performance. Any search on the site however does not.

    Can someone confirm? Or is it just me?

    #downdetector #crt.sh #certificatetransparency #ctlogs

  28. Filippo has announced the #Sunlight #CertificateTransparency log design on ct-policy #CT groups.google.com/a/chromium.o

    Let's Encrypt has also announced adopting Sunlight for new logs that we hope will be more scalable and dramatically less expensive: Sycamore, Willow, and our new test log, Twig: letsencrypt.org/2024/03/14/int

  29. I'll be attending the Real World Crypto Symposium in Toronto in two weeks time (#RWC), and after that, I'm once again co-organizing the Open Source Cryptography Workshop. (#OSCW2024)

    I’ll also be real happy to talk about the new developments with the #Sunlight #CertificateTransparency log design, Let’s Encrypt’s new ACME Renewal Information (#ARI) draft specification, #CRLite, Rustls… all that stuff.

    insufficient.coffee/2024/03/14

  30. I'll be attending the Real World Crypto Symposium in Toronto in two weeks time (#RWC), and after that, I'm once again co-organizing the Open Source Cryptography Workshop. (#OSCW2024)

    I’ll also be real happy to talk about the new developments with the #Sunlight #CertificateTransparency log design, Let’s Encrypt’s new ACME Renewal Information (#ARI) draft specification, #CRLite, Rustls… all that stuff.

    insufficient.coffee/2024/03/14

  31. I'll be attending the Real World Crypto Symposium in Toronto in two weeks time (#RWC), and after that, I'm once again co-organizing the Open Source Cryptography Workshop. (#OSCW2024)

    I’ll also be real happy to talk about the new developments with the #Sunlight #CertificateTransparency log design, Let’s Encrypt’s new ACME Renewal Information (#ARI) draft specification, #CRLite, Rustls… all that stuff.

    insufficient.coffee/2024/03/14

  32. I'll be attending the Real World Crypto Symposium in Toronto in two weeks time (#RWC), and after that, I'm once again co-organizing the Open Source Cryptography Workshop. (#OSCW2024)

    I’ll also be real happy to talk about the new developments with the #Sunlight #CertificateTransparency log design, Let’s Encrypt’s new ACME Renewal Information (#ARI) draft specification, #CRLite, Rustls… all that stuff.

    insufficient.coffee/2024/03/14

  33. I'll be attending the Real World Crypto Symposium in Toronto in two weeks time (#RWC), and after that, I'm once again co-organizing the Open Source Cryptography Workshop. (#OSCW2024)

    I’ll also be real happy to talk about the new developments with the #Sunlight #CertificateTransparency log design, Let’s Encrypt’s new ACME Renewal Information (#ARI) draft specification, #CRLite, Rustls… all that stuff.

    insufficient.coffee/2024/03/14

  34. @mmeier And for anyone who wants to move away from wildcard certs and use actual hostnames, just be aware of #certificatetransparency . While it's overall a healthy thing for the internet, you could end up giving any would-be attacker a list of subdomains in your #homelab.

    en.m.wikipedia.org/wiki/Certif

  35. Recently I was digging in the outliers of DNS resolving from the certificate transparency and there is a hostname which is often hardcoded test.microsoftpki.net but which is giving a NXDOMAIN. Checking the Passive DNS, the domain itself exists and seems to be registered on Microsoft infrastructure

    Any clue of the software or service at Microsoft generating certificate with an invalid domain for testing?

    #passivedns #dns #certificatetransparency

  36. Recently I was digging in the outliers of DNS resolving from the certificate transparency and there is a hostname which is often hardcoded test.microsoftpki.net but which is giving a NXDOMAIN. Checking the Passive DNS, the domain itself exists and seems to be registered on Microsoft infrastructure

    Any clue of the software or service at Microsoft generating certificate with an invalid domain for testing?

    #passivedns #dns #certificatetransparency

  37. Recently I was digging in the outliers of DNS resolving from the certificate transparency and there is a hostname which is often hardcoded test.microsoftpki.net but which is giving a NXDOMAIN. Checking the Passive DNS, the domain itself exists and seems to be registered on Microsoft infrastructure

    Any clue of the software or service at Microsoft generating certificate with an invalid domain for testing?

    #passivedns #dns #certificatetransparency

  38. Recently I was digging in the outliers of DNS resolving from the certificate transparency and there is a hostname which is often hardcoded test.microsoftpki.net but which is giving a NXDOMAIN. Checking the Passive DNS, the domain itself exists and seems to be registered on Microsoft infrastructure

    Any clue of the software or service at Microsoft generating certificate with an invalid domain for testing?

    #passivedns #dns #certificatetransparency

  39. Recently I was digging in the outliers of DNS resolving from the certificate transparency and there is a hostname which is often hardcoded test.microsoftpki.net but which is giving a NXDOMAIN. Checking the Passive DNS, the domain itself exists and seems to be registered on Microsoft infrastructure

    Any clue of the software or service at Microsoft generating certificate with an invalid domain for testing?

    #passivedns #dns #certificatetransparency

  40. The #EU has reached an agreement on #eIDAS, rolling back the state of Internet security by 12 years, and by forcing browser vendors / root store operators to include government Root CA, disallowing #CertificateTransparency and making it illegal to fix (unless you can influence #ETSI, which is conveniently government friendly when it comes to surveillance).

    This is bad. Really bad. It enables surveillance.

    Technical background: scotthelme.co.uk/what-the-qwac

  41. @jabberati @jssfr @aslmx @debacle Thank you for complaining! I had no idea #Cloudflare did this. I have many of my corporate clients on there. I’ll have to pay more attention to crt.sh #CertificateTransparency

  42. @chrysn That's an intersting worthwhile take. One thing I learned from this, is the advanced CAA configuration.
    But from a usabilty perspective, strict #CertificateTransparency monitoring is probably the easier solution.

  43. In case you missed it, here's my talk with Phil Porada from @letsencrypt on #SwiNOG38 about #CertificateTransparency and operating this critical internet infrastructure:

    youtube.com/watch?v=B1Y9WOqiEY