Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

CAs currently run on the assumption that the underlying internet is....somewhat fine.

FWIW let's encrypt does multi perspective validation, but it is not a requirement currently.

The best thing to do as a site owner is to regularly check CT logs or use a service that does that for you.



I'm not sure CT logs would help in practice. Assuming a site owner religiously monitors CT logs (who actually does that?), notices a cert they didn't mean to issue, and then issues a CRL or OCSP change (do most people even know how to do that?), the client application has to download the lists and respect it, and many (most?) clients do not.

The site owner may know about the compromised cert, but the users/clients will be blissfully ignorant and unable to do anything about it.


There are initiatives to make certificate revocation better.

As of now, the world's most popular browser does not support OCSP. So revoking a cert kinda has no impact on chrome.

As we go forward, crlite is going to be required by Apple around October of this year. It's probably our current best option for browsers to use.

But yeah, you're not wrong. At the very least it would give you an idea that you were targeted and give you an idea that you need to plan for DR.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: