Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I liked the CA MITM call out.. we just trust these organizations to not deploy wildcard malicious certificates.

Kinda messed up devices come preloaded with unchangeable trusted CAs

Guy knows his stuff, also works for dod.



> we just trust these organizations to not deploy wildcard malicious certificates.

Don't we have transparency logs to check that now?


Yes, Chrome and Safari will not load a site if the cert is not in CT. https://no-sct.badssl.com/


They will not load the site if the certificate does not have embedded SCTs. That's different.

They don't actually go check and compare the embedded SCT with what is in the logs. It would be incredibly slow to load the site if they did that.


This is going to blow your mind but they do, it's called the Inclusion Checking phase https://docs.google.com/document/d/1FP5J5Sfsg0OR9P4YT0q1dM02...


also Edge. It's an open issue on Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1281469


Wow. Firefox should really prioritize this if all major browsers are doing it already.


There is a theory which states that if ever anyone discovers exactly which decade old bug should be fixed in Firefox, it will instantly disappear and be replaced by some obscure web service by Mozilla Foundation. There is another theory which states that this has already happened.

(in memory of Douglas Adams)


Let's test that theory:

It's this one. https://bugzilla.mozilla.org/show_bug.cgi?id=505521


Introducing RunSet™ by Mozilla Foundation: an installation customizer for Mozilla suite of software. Just visit mozilla.org/runset, click on what pieces of software you want, and a custom installer is generated just for you. You can even embed your profile picture to the installer to share it with your friends and family. Fully customizable, fully free.

RunSet™: Install everything everywhere all at once.

[Donate]


But not Brave apparently


Looks like it's in the beta https://github.com/brave/brave-browser/issues/22482.


So now we trust them to log it. What's the difference?


If someone else logs a certificate for one of my domains I am notified and can have it revoked.


How are you following this in practice, especially if every service has its own certificate that it rotates every two months via letsencrypt or similar?

It's not clear to me how you know who asked for the certificate in the log. Do you somehow compile the private keys of all entities that are allowed to request certificates and compare that to the CTL?


I only have about a two dozen certs so having a notification a week is managable not had to think how to scale it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: