←back to thread

Running a Certificate Transparency log

(words.filippo.io)
160 points Metalnem | 3 comments | 07 Jul 25 20:36 UTC | HN request time: 0.773s | source
Show context
gslin ◴[08 Jul 25 00:24 UTC] No.44495857[source]
> You Should Run a Certificate Transparency Log

And:

> Bandwidth: 2 – 3 Gbps outbound.

I am not sure if this is correct, is 2-3Gbps really required for CT?

replies(3): >>44497422 #>>44497536 #>>44501107 #
remus ◴[08 Jul 25 05:45 UTC] No.44497422[source]
It seems like Fillipo has been working quite closely with people running existing ct logs to try and reduce the requirements for running a log, so I'd assume he has a fairly realistic handle on the requirements.

Do you have a reason to think his number is off?

replies(2): >>44497620 #>>44498502 #
gslin ◴[08 Jul 25 09:39 UTC] No.44498502[source]
Let's Encrypt issues 9M certs per day (https://letsencrypt.org/stats/), and its market share is 50%+ (https://w3techs.com/technologies/overview/ssl_certificate), so I assume there are <20M certs issued per day.

If all certs are sent to just one CT log server, and each cert generates ~10KBytes outbound traffic, it's ~200GB/day, or ~20Mbps (full & even traffic), not in the same ballpark (2-3Gbps).

So I guess there are something I don't understnad?

replies(1): >>44498707 #
1. bo0tzz ◴[08 Jul 25 10:27 UTC] No.44498707[source]
I've been trying to get an understanding of this number myself as well. I'm not quite there yet, but I believe it's talking about read traffic, ie serving clients that are looking at the log, not handling new certificates coming in.
replies(1): >>44499058 #
2. FiloSottile ◴[08 Jul 25 11:35 UTC] No.44499058[source]
I added a footnote about it. It’s indeed read traffic, so it’s (certificate volume x number of monitors x compression ratio) on average. But then you have to let new monitors catch up, so you need burst.

It’s unfortunately an estimate, because right now we see 300 Mbps peaks, but as Tuscolo moves to Usable and more monitors implement Static CT, 5-10x is plausible.

It might turn out that 1 Gbps is enough and the P95 is 500 Mbps. Hard to tell right now, so I didn’t want to get people in trouble down the line.

Happy to discuss this further with anyone interested in running a log via email or Slack!

replies(1): >>44499533 #
3. bo0tzz ◴[08 Jul 25 12:58 UTC] No.44499533[source]
Thanks, that clarifies a lot!