IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [certificate-transparency]

a system where Certificate Authorities are required to log all certs they issue to one or more Certificate Transparency Logs, which are publicly accessible. The purpose is to add additional accountability for CAs, and allow easy searching of all certificates issued to a domain.

Certificate Transparency is a system where Certificate Authorities are required to log all certs they issue to one or more Certificate Transparency Logs, which are publicly accessible. The purpose is to add additional accountability for CAs, and allow easy searching of all certificates issued to a domain.

CT was brought in partly to make it easier to catch CAs intentionally issuing fraudulent certs, and partly to allow web site administrators to monitor when a cert is issued to their domain that they did not request. Google maintains a Transparency Report page where you can search the logs for all certificates issued to a particular domain:

Google Transparency Report

This is a project introduced by Google, and they still run the project.

39 questions
23
votes
2 answers

Are we gossiping in Certificate Transparency?

Ben Laurie's original paper on Certificate Transparency proposed that clients (browsers) should "gossip". In particular, it proposed that when a browser connects to a web server, it should send to the server the latest signed tree head from a…
D.W.
  • 98,420
  • 30
  • 267
  • 572
20
votes
3 answers

How can I access the certificate transparency logs?

Am I going crazy or is there no way to access any of the "known logs" listed on Google's Certificate Transparency site? Every single one of the links listed there 404s, even though the list is allegedly up to date. Is there some arcane way of…
user124384
  • 311
  • 1
  • 2
  • 6
13
votes
2 answers

Certificate transparency: should the certificate be submitted to ct-logs if the pre-certificate is already submitted

If a pre-certificate is generated and submitted to certificate transparency logs, the final certificate can include SCT receipts. So the final certificate doesn't need to be submitted to ct-logs in order to be valid in browsers were ct is…
Tom
  • 2,063
  • 12
  • 19
9
votes
2 answers

How do I determine if a certificate in a CT log is my own?

I’m experimenting with scanning certificate transparency logs for my domains, and I’d like to filter out log entries for legitimately issued certificates so I only get alerts when someone else gets ahold of a certificate for my domain. I tried to…
Wolfgang
  • 253
  • 1
  • 4
7
votes
2 answers

Certificate Transparency logs: why are so many operated by same entities and how do they differ?

I'm trying to understand the point of having multiple Certificate Transparency logs. While I understand that it solves the problems of reliability of trust, what baffles me is that so many are operated by the same entity: most notably, Google…
d33tah
  • 6,524
  • 8
  • 38
  • 60
7
votes
2 answers

HTTP Public Key Pinning vs Certificate Transparency, which is better and why?

We are rolling out a new mobile app. Our security team recommends us to pin the public key in order to avoid MITM. iOS already has CT checks and we can enable that for the Android app as well. The security team's arguments for pinning are: Pinning…
Aman
  • 171
  • 3
7
votes
2 answers

How does Certificate Transparance detect fake or forked logs?

I am trying to understand Certificate Transparency. Let's say I want to snoop on somebody's email. So I go hack or bribe a CA, have them issue a certificate for google.com, and then I present it when I MitM the users connection to Gmail. This is the…
Tor Klingberg
  • 173
  • 3
6
votes
3 answers

Certificate Transparency

From what I read here, if the intermediate CA has been compromised, a fake cert can be issued and the privacy of the end-users could be compromised as well. In order to remediate this situation, someone have to report this and have this cert be…
Ryu
  • 479
  • 2
  • 5
  • 14
6
votes
1 answer

How will Certificate Transparency be enforced?

The Chrome team has announced that "[they]’ll be moving forward with [their] plan to require Certificate Transparency for all newly issued, publicly trusted certificates starting in April 2018." It's July 2018 now. Is Certificate Transparency…
jornane
  • 415
  • 2
  • 14
5
votes
2 answers

standards for regulation of intermediate Certificate authority

I want to know some information about the regulation of intermediate CAs. Is there any standard for intermediate CA to determine how many intermediate CAs are required or something like that which concerns the application of intermediate CA?
e.re
  • 51
  • 1
5
votes
1 answer

What is the status of Certificate Transparency?

I am reading a bit on the certificate transparancy project initiazed by google. (More info at http://www.certificate-transparency.org), this technology tries to introduce transparency in the creation of CA certificates. Their goal is that all SSL…
KojoUzochi
  • 343
  • 2
  • 9
4
votes
1 answer

Adding Expect-CT header to HTTP response

In the security test report, I have a recommendation to add Expect-CT header to the HTTP response from web application, additionally developers set this to: Expect-CT: max-age=0, report-uri= I am not sure if it is a good idea to add this header.…
user187205
  • 1,163
  • 3
  • 15
  • 24
4
votes
1 answer

Certificate Transparency Android

For iOS-Apps, it is possible to use Certificate Transparency as stated here. We are developing native Apps for the different mobile platforms and are discussing to establish a more secure way of handling SSL-certificates. Does anybody know if there…
Supahupe
  • 165
  • 4
4
votes
1 answer

What exactly does certificate tranparency do?

I have huge problems to understand how certificate transparency is different from mechanism like CRL or OCSP which allow to get the status of a certificate by contacting the CA directly. Which domains names are contacted when an application want to…
user2284570
  • 1,402
  • 1
  • 14
  • 33
3
votes
0 answers

What is expected of domain owners in the Certificate Transparency system?

As I understand it, Certificate Transparancy provides proof to the client that the presented certificate is publicly accessible in CT logs. The certificate being in the logs enables a domain owner to detect that a certificate has been issued for its…
JazZeus
  • 43
  • 3
1
2 3