| ▲ | hollow-moe a day ago | |
I'd bet they could absolutely proxy large parts of people and make use of these certs. I wonder how much are CT logs scrutinized, would these "rogue" certs be found easily because we can't find traces of them being generated by letsencrypt ? Browsers checks CRLs but are they checking CT logs to be ensure the cert they're checking was logged ? | ||
| ▲ | monerozcash a day ago | parent [-] | |
They couldn't do that at scale without being detected, no. There are various people actively looking for this, and the existing tooling makes it easy to detect. >Browsers checks CRLs but are they checking CT logs to be ensure the cert they're checking was logged ? Yes, all modern browsers require certificates to be in the CT logs in order for them to be accepted. For example, we can easily pull up logs for gmail.com and see which certificates browsers would accept. https://api.certspotter.com/v1/issuances?domain=gmail.com&ex... | ||