I submitted a PR to fix a crash on startup for certstream-server https://github.com/CaliDog/certstream-server/pull/129 #certificatetransparency

Certificate Transparency in Firefox: A Big Step for Web Security — https://blog.transparency.dev/ct-in-firefox
#HackerNews #CertificateTransparency #Firefox #WebSecurity #CyberSecurity #TechNews

Currently trying to understand Chrome / Chromimum #CertificateTransparency Policy and why https://no-sct.badssl.com/ loads without NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED in chrome/chromium, contrary to what it did before (ex https://github.com/brave/brave-browser/issues/22482)

Today, our #WebPKI session 😍

If you weren't sleeping during the last decade, you know that @letsencrypt and #CertificateTransparency (CT) have revolutionized web security ⚡️

#pts24 will welcome no less than:
- Aaron Gabble, #techlead at @letsencrypt
- Philippe Boneff, #techlead of #Google CT team
- and an offensive research by Kévin Schouteeten & Paul Barbé from #Synacktiv on certs issuance in managed K8s env.

IMHO, you shouldn't miss this session!
👉 REGISTER https://pretix.eu/passthesalt/2024/

Playing around with CT logging and found this. Lots of certificates registered every minute for the domain "dyingbirds.com". There's a hex string followed by a numeric value then .amdv.dyingbirds.com.

#pki #certificatetransparency

Furthermore produced software artifacts proofs are written into a database similar to #certificateTransparency.

We have recently implemented this in #PrivateBin and it works great: https://github.com/PrivateBin/PrivateBin/issues/1169

Of course practically, people (especially software consumers) needed to verify it, to be worth the work.

Obviously, it's no magic bullet. It just raises the burden for an attacker. Obviously, the source code repo could be made to contain bad code, but you cannot anymore tamper at built-time.

Anyone else just getting 502s when using crt.sh, searching for CT logs on domain names?

The index page works, although I'd argue with degraded performance. Any search on the site however does not.

Can someone confirm? Or is it just me?

#downdetector #crt.sh #certificatetransparency #ctlogs

Filippo has announced the #Sunlight #CertificateTransparency log design on ct-policy #CT https://groups.google.com/a/chromium.org/g/ct-policy/c/v9JzlbphYBs/m/kyQk4ZP6AAAJ

Let's Encrypt has also announced adopting Sunlight for new logs that we hope will be more scalable and dramatically less expensive: Sycamore, Willow, and our new test log, Twig: https://letsencrypt.org/2024/03/14/introducing-sunlight

I'll be attending the Real World Crypto Symposium in Toronto in two weeks time (#RWC), and after that, I'm once again co-organizing the Open Source Cryptography Workshop. (#OSCW2024)

I’ll also be real happy to talk about the new developments with the #Sunlight #CertificateTransparency log design, Let’s Encrypt’s new ACME Renewal Information (#ARI) draft specification, #CRLite, Rustls… all that stuff.

https://insufficient.coffee/2024/03/14/rwc-and-oscw-2024/

The Internet Last Week

* DigitalOcean services disruption
https://status.digitalocean.com/incidents/33vqf05m8396
* T-Mobile account services outage
https://www.bleepingcomputer.com/news/technology/major-t-mobile-outage-takes-down-account-access-mobile-app/
* US weather-related service disruptions
https://bfs.llc/@PowerOutageUS/111728282761278973
* Mammoth2024h1 CT logging resource-related disruption
https://groups.google.com/a/chromium.org/g/ct-policy/c/038B7F4g8cU
https://groups.google.com/a/chromium.org/g/ct-policy/c/_dhkSzwoZuE

#DigitalOcean #TMobile #Weather #Outage #CertificateTransparency

@mmeier And for anyone who wants to move away from wildcard certs and use actual hostnames, just be aware of #certificatetransparency . While it's overall a healthy thing for the internet, you could end up giving any would-be attacker a list of subdomains in your #homelab.

https://en.m.wikipedia.org/wiki/Certificate_Transparency

Recently I was digging in the outliers of DNS resolving from the certificate transparency and there is a hostname which is often hardcoded test.microsoftpki.net but which is giving a NXDOMAIN. Checking the Passive DNS, the domain itself exists and seems to be registered on Microsoft infrastructure

Any clue of the software or service at Microsoft generating certificate with an invalid domain for testing?

#passivedns #dns #certificatetransparency

Weekend Reads:

* OpenPGP for app devs book https://openpgp.dev/book/
* Nagios XI vulnerabilities https://research.nccgroup.com/2023/12/13/technical-advisory-multiple-vulnerabilities-in-nagios-xi/
* Metro area network trends https://www.researchgate.net/publication/376111355_A_survey_of_trends_and_motivations_regarding_Communication_Service_Providers'_metro_area_network_implementations
* Certificate transparency systems https://educatedguesswork.org/posts/transparency-part-1/
* Tracking device anti-stalking analysis https://arxiv.org/abs/2312.07157

#PGP #Nagios #CertificateTransparency #Tracking #MAN

The #EU has reached an agreement on #eIDAS, rolling back the state of Internet security by 12 years, and by forcing browser vendors / root store operators to include government Root CA, disallowing #CertificateTransparency and making it illegal to fix (unless you can influence #ETSI, which is conveniently government friendly when it comes to surveillance).

This is bad. Really bad. It enables surveillance.

Technical background: https://scotthelme.co.uk/what-the-qwac/

@jabberati @jssfr @aslmx @debacle Thank you for complaining! I had no idea #Cloudflare did this. I have many of my corporate clients on there. I’ll have to pay more attention to https://crt.sh #CertificateTransparency

@chrysn That's an intersting worthwhile take. One thing I learned from this, is the advanced CAA configuration.
But from a usabilty perspective, strict #CertificateTransparency monitoring is probably the easier solution.

In case you missed it, here's my talk with Phil Porada from @letsencrypt on #SwiNOG38 about #CertificateTransparency and operating this critical internet infrastructure:

https://www.youtube.com/watch?v=B1Y9WOqiEYw

Wordpress: Attackiert schon während der Installation

Noch bevor das System live geht, haben Angreifer es oft unbemerkt mit Hintertüren versehen. Die stehen nämlich schon nach wenigen Minuten auf der Matte.

https://www.heise.de/news/Wordpress-Attackiert-schon-waehrend-der-Installation-7364588.html?wt_mc=sm.red.ho.mastodon.mastodon.-.-

#Backdoor #CertificateTransparency #Wordpress #Zertifikate #News

Pro tip: Monitor your LE certificates using Atom feeds:

Just subscribe to: https://crt.sh/atom?q=<domain you want to watch goes here>

And get all issued certificates for that domain right to your feed reader. Great and useful service with interesting results.

By the way, it might also be a good point to start using the `expect-ct` header:

https://scotthelme.co.uk/a-new-security-header-expect-ct/

#CertificateTransparency #infosec #monitoring #CA #certificates