How Certificate Transparency Logs Fail and Why It's OK

from blog Andrew Ayer - Blog, | ↗ original
Last week, a Certificate Transparency log called Yeti 2022 suffered a single bit flip, likely due to a hardware error or cosmic ray, which rendered the log unusable. Although this event will have zero impact on Web users and website operators, and was reported on an obscure mailing list for industry insiders, it captured the interest of people on Hacker News, Twitter, and...
This is a short summary. ↗ Open original to view full content

Related

This keeps happening: TLS expiry
Forkcasting | original ↗
The Story Behind Last Week's Let's Encrypt Downtime
Andrew Ayer - Blog | original ↗
The SSL Certificate Issuer Field is a Lie
Andrew Ayer - Blog | original ↗
Checking if a Certificate is Revoked: How Hard Can It Be?
Andrew Ayer - Blog | original ↗
These Three Companies Are Doing the Internet a Solid By Running Certificate Transparency Logs
Andrew Ayer - Blog | original ↗
How will Certificate Transparency Logs be Audited in Practice?
Andrew Ayer - Blog | original ↗
The browsers biggest TLS mistake
benjojo blog | original ↗
0031: 2022, systems distributed, random ids, deleting tombstones, disorderly compaction, juggling blocks, code review woes, holiday shutdown, searching for implementors, everything is copy, sharing the page cache after fysncgate, 9/10 climbers, rise and fall of peer review, real-world concurrency
Scattered Thoughts | original ↗
0007: yet more internal consistency, re: how safe is zig, async performance, local-first software, fuzzers and emulators, deterministic hardware counters, zig goto
Scattered Thoughts | original ↗
How a broken memory module hid in plain sight
Christian Hollinger | original ↗

More from Andrew Ayer - Blog

The Story Behind Last Week's Let's Encrypt Downtime
22 Jun 2023 | original ↗

Last Thursday (June 15th, 2023), Let's Encrypt went down for about an hour, during which time it was not possible to obtain certificates from Let's Encrypt. Immediately prior to the outage, Let's Encrypt issued 645 certificates which did not work in Chrome or Safari. In this post, I'm going to explain what went wrong and how I detected it. The Law of...

The Difference Between Root Certificate Authorities, Intermediates, and Resellers
18 Jun 2023 | original ↗

It happens every so often: some organization that sells publicly-trusted SSL certificates does something monumentally stupid, like generating, storing, and then intentionally disclosing all of their customers' private keys (Trustico), letting private...

The SSL Certificate Issuer Field is a Lie
18 Jan 2023 | original ↗

A surprisingly hard, and widely misunderstood, problem with SSL certificates is figuring out what organization (called a certificate authority, or CA) issued a certificate. This information is useful for several reasons: You've discovered an unauthorized certificate for your domain via Certificate Transparency logs and need to contact the certificate authority to get the certificate revoked.You've discovered a certificate via Certificate Transparency...

whoarethey: Determine Who Can Log In to an SSH Server
10 Jan 2023 | original ↗

Filippo Valsorda has a neat SSH server that reports the GitHub username of the connecting client. Just SSH to whoami.filippo.io, and if you're a GitHub user, there's a good chance it will identify you. This works because of two behaviors: First, GitHub publishes your authorized public keys at https://github.com/USERNAME.keys. Second, your SSH client sends the server the...

No, Google Did Not Hike the Price of a .dev Domain from $12 to $850
12 Dec 2022 | original ↗

It was perfect outrage fodder, quickly gaining hundreds of upvotes on Hacker News: As you know, domain extensions like .dev and .app are owned by Google. Last year, I bought the http://forum.dev domain for one of our projects. When I tried to renew it this year, I was faced with a renewal price of $850 instead of the normal price of $12. It's true that most .dev...