certificatetransparency   23

Revocation is broken
It is true that OCSP offered a significant performance advantage over fetching a CRL, but, that performance advantage did come with a cost (don't you hate it when that happens?). The cost was a pretty significant one too, it was your privacy... When we think about what an OCSP request is, the request for the status of a very particular, single certificate, you may start to realise that you're leaking some information. When you send an OCSP request, you're basically asking the CA this:

soft fail revocation check. That is, the browser will try to do a revocation check but if the response doesn't come back, or doesn't come back in a short period of time, the browser will simply forget about it. Even is worse is that Chrome doesn't even do revocation checks, at all. Yes, you did read that right, Chrome doesn't even try to check the revocation status of certificates that it encounter -- Chrome calls theirs CRLsets and Firefox call theirs OneCRL and they curate lists of revoked certificates by combining available CRLs and selecting certificates from them to be included

OCSP Stapling is great and we should all support it on our sites, but, do we honestly think an attacker is going to enable OCSP Stapling? No, I didn't think so, of course they aren't going to. What we need is a way to force the server to OCSP Staple and this is what OCSP Must-Staple is for

OCSP Expect-Staple but I will give the TL;DR here. You request an addition to the HSTS preload list that asks the browser to send you a report if it isn't happy with the OCSP Staple. You can collect the reports your self or use my service, report-uri.io, to do it for you and you can learn exactly how often you would hit problems if you turned on OCSP Must-Staple.

see all certificates issued for my domain and you can search for your own, you can also use CertSpotter from sslmate to do the same and I use the Facebook Certificate Transparency Monitoring
ocsp  cybersecurity  ssl  tls  privacy  certificates  certificatetransparency 
may 2018 by bwiese
If anyone wondering how much it costs per month to use AWS' RDS to maintain the state all
CertificateTransparency  from twitter_favs
march 2017 by FiloSottile
A monitoring service for Certificate Transparency
GitHub_Repos  CertificateTransparency 
december 2015 by GameGamer43
Dude, You Got Dell’d: Publishing Your Privates - Blog - Duo Security
We also found another certificate mishap on our Dell machine - an Atheros Authenticode certificate also shipped with the Bluetooth software In the interest of full-disclosure, we are including the eDellRoot private key we identified and the entire Atheros certificate bundle with this post.
Dell  TLS  SSL  x509  Zertifizierungsstelle  CA  CertificateTransparency  Superfish 
november 2015 by tj45
Superfish 2.0: Dangerous Certificate on Dell Laptops breaks encrypted HTTPS Connections - Hanno's blog
tl;dr Dell laptops come preinstalled with a root certificate and a corresponding private key. That completely compromises the security of encrypted HTTPS connections. I've provided an online check, affected users should delete the certificate.
Dell  TLS  SSL  x509  Zertifizierungsstelle  CA  CertificateTransparency  Superfish 
november 2015 by tj45
Certificate TransparencyCertificate Transparency
Google's Certificate Transparency project fixes several structural flaws in the SSL certificate system, which is the main cryptographic system that underlies all HTTPS connections. These flaws weaken the reliability and effectiveness of encrypted Internet connections and can compromise critical TLS/SSL mechanisms, including domain validation, end-to-end encryption, and the chains of trust set up by certificate authorities. If left unchecked, these flaws can facilitate a wide range of security attacks, such as website spoofing, server impersonation, and man-in-the-middle attacks.
CertificateTransparency  Google  Google_Certificate_Transparency  SSL  SSL_Certificates 
june 2015 by GameGamer43

related tags

acm  ca  certificate  certificates  chrome  cloudflare  crypto  ct  cybersecurity  dell  ev  facebook  github_repos  google  google_certificate_transparency  https  kryptographie  logging  merkletree  merkletrees  ocsp  pki  privacy  redaction  security  ssl  ssl_certificates  superfish  symantec  tls  video  w:2  x509  zertifikat  zertifizierungsstelle 

Copy this bookmark: