← Back to Topics

Certificate Transparency Efficacy

The cluster discusses Certificate Transparency (CT) as a mechanism to detect and mitigate misissued certificates by rogue or non-compliant Certificate Authorities (CAs), including related tools like CAA records and browser enforcement policies.

➡️ Stable 0.6x Security
5,661
Comments
19
Years Active
5
Top Authors
#7702
Topic ID

Activity Over Time

2008
13
2009
7
2010
31
2011
138
2012
83
2013
212
2014
478
2015
485
2016
585
2017
483
2018
342
2019
307
2020
523
2021
235
2022
435
2023
439
2024
362
2025
486
2026
17

Top Contributors

tialaramex (239) tptacek (197) agwa (106) pfg (83) schoen (45)

Keywords

StartCom US SNI KZ HSTS PKI mozilla.org ISCA googleblog.com DNS certificate transparency certificates cas ct ca logs certs cert browser

Sample Comments

CommanderData Jan 21, 2022 View on HN

Certificate transparency doesn't solve this issue fully.

cjbprime Aug 29, 2023 View on HN

So the answer is no, you are unfamiliar with Certificate Transparency. You should check it out! It basically solved this problem a long time ago.

bananapub Oct 21, 2023 View on HN

yes? this is a well-known problem, which is why CAA-ACME etc and certificate transparency logs exist.

bouk Nov 3, 2017 View on HN

At some point browsers will stop allowing certificates that are not logged through CT

zifnab06 Aug 23, 2019 View on HN

I believe most (if not all) current browsers require public CAs to use a certificate transparency service to prevent this.

eledra Nov 3, 2017 View on HN

There is Certificate Transparency for that problem. It is on work though.

pornel Aug 6, 2018 View on HN

This is being fixed:• You can use CAA DNS records to choose which CAs can create certs for your domain.• You can watch Certificate Transparency logs to catch CAs that didn't obey.AFAIK both are becoming mandatory for CAs. It doesn't technically stop violations, but ensures they get caught and shut down if they fail to obey the rules (like StartCom and Symantec).

m-p-3 Dec 7, 2020 View on HN

The browser vendors could stop trusting O=ISCA, C=KZ entirely.

yrro Aug 7, 2019 View on HN

Perhaps OS and browser vendors should push out updates that blacklist the certificate?

akerl_ May 30, 2023 View on HN

In addition to what nickf said in the parallel comment, CAs have committed to CT logging as part of being included in browser trust stores. If anyone were to find and report any certificates issued by those CAs via their trusted certificates that were not in CT logs, that would be strong evidence for browsers to remove them from the trust stores, which would essentially destroy their company.