undefined | Better HN

0 pointstomklein4y ago0 comments

That’s what Certificate Transparency is for. If CT is required by the client, then the wrongfully issued certificate could be detected and the CA be reported for that.

0 comments

LinuxBender4y ago

True, though CT has positive and negative checks. [1] If a malicious CA chooses to silently issue certs without creating logs, all you get is a lack of logs. AFAIK no browsers will balk at this. You may eventually detect it if the certificate is widely used, but if the certificate is being targeted to one victim or a small set of victims, it is highly unlikely anyone would detect this. If you can MITM someone, you can prevent them from checking the logs and instead give them a server error 500.

[1] - https://certificate.transparency.dev/howctworks/

j / k navigate · click thread line to collapse

0 pointstomklein4y ago0 comments

That’s what Certificate Transparency is for. If CT is required by the client, then the wrongfully issued certificate could be detected and the CA be reported for that.

0 comments

LinuxBender4y ago

[1] - https://certificate.transparency.dev/howctworks/

j / k navigate · click thread line to collapse