Discover and read the best of Twitter Threads about #CertificateTransparency
Most recents (2)
I've got trust issues. We all do. Some infosec pros go so far as to say #TrustNoOne, a philosophy more formally known as #ZeroTrust, that holds that certain elements of your security should *never* be delegated to *any* third party. 1/
If you'd like an essay-formatted version of this thread to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
pluralistic.net/2022/11/09/inf… 2/
pluralistic.net/2022/11/09/inf… 2/
The problem is, it's trust all the way down. Say you maintain your own cryptographic keys on your own device. How do you know the software you use to store those keys is trustworthy? Well, maybe you audit the source-code and compile it yourself. 3/
If your website's SSL certificate was issued in 2020, it may have stopped working in Chrome today (with the error NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED). Fix is to get a new certificate from your CA.
Use this tool to check if your site is affected: sslmate.com/labs/ct_policy…
Use this tool to check if your site is affected: sslmate.com/labs/ct_policy…
Background: Chrome requires all certificates to be published in at least one active (non-retired) #CertificateTransparency log. For various reasons, logs are occasionally shut down/retired. If every log that a certificate is logged to is retired, the cert stops working. 2/n
Many non-Google logs have been retired over the years, but until recently Chrome required that certs also be logged to a Google-operated log. Thus, retiring a log never caused certs to break: you could always count on the cert to be in an active Google log. Until yesterday. 3/n
