undefined | Better HN

0 pointsagwa2y ago0 comments

I'm not sure what you mean by "surveillance system for certificate misissuance". Chrome's SCT auditing has nothing to do with detecting certificate misissuance; just misbehaving logs.

0 comments

tptacek2y ago

I'm literally just waking up right now and typing this from bed (ignore what that says about me as a person) so cut me some slack if this makes no sense and I reserve the right to come back and "clarify" what I was saying but: if Chromes see a Sectigo certificate for (say) Facebook.com with no SCTs, Google is going to notice.

agwaOP2y ago

Nope. If Chrome sees a certificate with no SCTs, it rejects the certificate but doesn't report it to Google. (Except possibly for telemetry.) Google doesn't care if CAs issue certificates without SCTs; in fact, some CAs routinely do so for customers which want to keep internal hostnames private. (e.g. https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpra...)

SCT auditing only takes place if a certificate has SCTs. SCT auditing checks to make sure that the log really published the certificate. If it didn't, then the bad SCT is reported to Google so the log can be kicked out of Chrome.

tptacek2y ago

Yep, I acknowledge this is the case. Thanks for the correction!

j / k navigate · click thread line to collapse

0 comments

tptacek2y ago

agwaOP2y ago

tptacek2y ago

Yep, I acknowledge this is the case. Thanks for the correction!

j / k navigate · click thread line to collapse