←back to thread

Running a Certificate Transparency log

(words.filippo.io)
160 points Metalnem | 1 comments | 07 Jul 25 20:36 UTC | HN request time: 0.258s | source
Show context
tonymet ◴[07 Jul 25 21:24 UTC] No.44494808[source]
Is any amateur or professional auditing done on the CA system? Something akin to amateur radio auditing?

Consumers and publishers take certificates and certs for granted. I see many broken certs, or brands using the wrong certs and domains for their services.

SSL/TLS has done well to prevent eavesdropping, but it hasn't done well to establish trust and identity.

replies(4): >>44494951 #>>44494961 #>>44496524 #>>44497149 #
1. oasisbob ◴[08 Jul 25 02:52 UTC] No.44496524[source]
Yup, it happens. There was a case I remember where a CA was issuing certs using the .int TLD for their own internal use, which it should not be doing.

Happened to see it in the CT logs, and when that CA next came up for discussion on the Mozilla dev security policy list, their failure to address and disclose the misissuance in a timely manner was enough to stop the process to approve their request for EV recognition, and it ended in a denial from Mozilla.