Most active commenters
  • tonymet(4)

←back to thread

Running a Certificate Transparency log

(words.filippo.io)
160 points Metalnem | 13 comments | 07 Jul 25 20:36 UTC | HN request time: 1.116s | source | bottom
1. tonymet ◴[07 Jul 25 21:24 UTC] No.44494808[source]
Is any amateur or professional auditing done on the CA system? Something akin to amateur radio auditing?

Consumers and publishers take certificates and certs for granted. I see many broken certs, or brands using the wrong certs and domains for their services.

SSL/TLS has done well to prevent eavesdropping, but it hasn't done well to establish trust and identity.

replies(4): >>44494951 #>>44494961 #>>44496524 #>>44497149 #
2. sleevi ◴[07 Jul 25 21:40 UTC] No.44494951[source]
All the time. Many CA distrust events involved some degree of “amateurs” reporting issues. While I hesitate to call commenters like agwa an amateur, it certainly was not professionally sponsored work by root programs or CAs. This is a key thing that Certificate Transparency enables: amateurs, academics, and the public at large to report CA issues.

At the same time, it sounds like the issues you describe aren’t CA/issuance issues, but rather, simple misconfigurations. Those aren’t incidents for the ecosystem, although definitely can be disruptive to the site, but I also wouldn’t expect them to call trust or identity into disrepute. That’d be like arguing my drivers license is invalid if I handed you my passport; giving you the wrong doc doesn’t invalidate the claims of either, just doesn’t address your need.

replies(1): >>44503755 #
3. Spivak ◴[07 Jul 25 21:41 UTC] No.44494961[source]
I think over the years trust and identity have gone out of scope for TLS—I think for the better. Your identity is your domain and it's not TLS's problem to connect that identity to any real life person or legal entity. I'm sure you still can buy EV certs but no one really cares about them anymore. Certainly browsers no longer care about them. And TLS makes no claim on the trustworthiness of the site you're connecting to, just that the owner of the cert proved control of the domain and that your connection is encrypted.

I can't even imagine how much a pain it would be to try and moderate certs based on some consistent international notion of trustworthiness. I think the best you could hope to do is have 3rd parties like the BBB sign your cert as a way of them "vouching" for you.

replies(1): >>44495552 #
4. NovemberWhiskey ◴[07 Jul 25 23:19 UTC] No.44495552[source]
Meet the QWAC.

https://en.m.wikipedia.org/wiki/Qualified_website_authentica...

5. oasisbob ◴[08 Jul 25 02:52 UTC] No.44496524[source]
Yup, it happens. There was a case I remember where a CA was issuing certs using the .int TLD for their own internal use, which it should not be doing.

Happened to see it in the CT logs, and when that CA next came up for discussion on the Mozilla dev security policy list, their failure to address and disclose the misissuance in a timely manner was enough to stop the process to approve their request for EV recognition, and it ended in a denial from Mozilla.

6. dlgeek ◴[08 Jul 25 04:45 UTC] No.44497149[source]
Yes. All CAs trusted by browsers have to go through WebTRUST or ETSI audits by accredited auditors.

See https://www.mozilla.org/en-US/about/governance/policies/secu... and https://www.ccadb.org/auditors and https://www.ccadb.org/policy#51-audit-statement-content

replies(2): >>44497273 #>>44503762 #
7. tptacek ◴[08 Jul 25 05:08 UTC] No.44497273[source]
As I understand them, these are accounting audits, similar (if perhaps more detail) to a SOC2. The real thing keeping CAs from being gravely insecure is the CA death penalty Google will inflict if a CA suffers a security breach that results in any kind of misissuance.
replies(1): >>44497363 #
8. creatonez ◴[08 Jul 25 05:30 UTC] No.44497363{3}[source]
It's not just Google, but also Mozilla, Apple, and Microsoft. They all work together on shutting down bad behavior.

Apple and Microsoft mainly have power because they control Safari and Edge. Firefox is of course dying, but they still wield significant power because their trusted CA list is copied by all the major Linux distributions that run on servers.

replies(1): >>44497465 #
9. tptacek ◴[08 Jul 25 05:54 UTC] No.44497465{4}[source]
Sure. I think Google and Mozilla have been the prime movers to date, but everyone has upped their game since Verisign/Symantec.
10. tonymet ◴[08 Jul 25 20:24 UTC] No.44503755[source]
it seems more ad-hoc, bounty-driven , rather than systematic. is that a fair perspective?
replies(1): >>44505777 #
11. tonymet ◴[08 Jul 25 20:25 UTC] No.44503762[source]
that's good news about the CA's , but how about the publisher certificates that are in use?
12. agwa ◴[09 Jul 25 02:17 UTC] No.44505777{3}[source]
I wish there were bounties :-)

There is systematic checking - e.g. crt.sh continuously runs linters on certificates found in CT logs, I continuously monitor domains which are likely to be used in test certificates (e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1496088), and it appears the Chrome root program has started doing some continuous compliance monitoring based on CT as well.

But there is certainly a lot of ad-hoc checking by community members and academics, which as Sleevi said is one of the great things that CT enables.

replies(1): >>44511303 #
13. tonymet ◴[09 Jul 25 15:30 UTC] No.44511303{4}[source]
Thanks for highlighting that— and for the efforts to assemble this project. Honestly before this post about the CT logs i hadn’t been aware of systematic auditing being done.