fsebugoutzone.org:9999

       Post AWAdQvVoU3a7ABaAaG by x_cli@infosec.exchange
 (DIR) More posts by x_cli@infosec.exchange
 (DIR) Post #AWAZXpdQKlpT96BB8y by mjg59@nondeterministic.computer
       2023-05-30T04:33:37Z
       
       0 likes, 0 repeats
       
       How is &quot;But what if a CA is subverted&quot; still part of the discourse when most browsers validate CT signatures?
       
 (DIR) Post #AWAZipaqpR0ICcDkoq by mjg59@nondeterministic.computer
       2023-05-30T04:34:03Z
       
       0 likes, 0 repeats
       
       Is everyone just entirely unaware of the past decade of work in this field?
       
 (DIR) Post #AWAZxpCCaZsPJTqCW0 by liw@toot.liw.fi
       2023-05-30T04:38:46Z
       
       0 likes, 0 repeats
       
       @mjg59 &quot;Is everyone unaware...&quot; is almost always true.As far as I&#39;m aware.
       
 (DIR) Post #AWAa5h28otn2Jat3aK by lazarus7@infosec.exchange
       2023-05-30T04:39:51Z
       
       0 likes, 0 repeats
       
       @mjg59 likely yes
       
 (DIR) Post #AWAaGOFsyfj9GDPtYW by womble@infosec.exchange
       2023-05-30T04:42:16Z
       
       0 likes, 0 repeats
       
       @mjg59 possibly because CT doesn&#39;t stop baddies from doing bad things, it only provides more evidence we can point and laugh at on m.d.s.p in the weeks afterwards. It increases the costs for anyone who wants to acquire or setup a CA for the express purpose of Doing Shenanigans, but doesn&#39;t eliminate the risk of subversion.
       
 (DIR) Post #AWAaVCMLUKM0i5V14i by e_nomem@hachyderm.io
       2023-05-30T04:44:46Z
       
       0 likes, 0 repeats
       
       @mjg59 But what if the CA is subverted _and_ multiple CT logs are modified to emit SCTs without appending them to the log _and_ the log monitors turn a blind eye? What then huh?! /s
       
 (DIR) Post #AWAbuCffZApcs21c4O by trekistheway@mastodon.social
       2023-05-30T05:00:31Z
       
       0 likes, 0 repeats
       
       @mjg59 I am not aware of any progress.
       
 (DIR) Post #AWAc3wBlhZneeCgGJs by thinkpanzer@infosec.exchange
       2023-05-30T05:01:38Z
       
       0 likes, 0 repeats
       
       @mjg59 You just violated Betteridge&#39;s law. Points will have to be deducted.
       
 (DIR) Post #AWAdQvVoU3a7ABaAaG by x_cli@infosec.exchange
       2023-05-30T05:17:36Z
       
       0 likes, 0 repeats
       
       @mjg59 Browsers do check these signatures. Do most domain owners check the logs for their domains? Absolutely not. Precisely because they never heard of CT :/ If the log is not read by the domain owners, CA subversion is an issue. Someone targeting &quot;smaller&quot; targets than the GAFAM and main CDNs will probably go undetected for years.
       
 (DIR) Post #AWAdh4iW1nWELSDwrA by glyph@mastodon.social
       2023-05-30T05:20:36Z
       
       0 likes, 0 repeats
       
       @mjg59 in fairness it’s punishingly difficult for application programmers to keep up to date on this stuff. I believe I am in the top decile of app-level people trying to keep an eye on infosec more broadly and TLS in particular, since I’ve always got one foot in infrastructure-land, but even I am constantly getting surprised by new developments that have apparently been old hat for 3-4 years. (This one I did know though.)
       
 (DIR) Post #AWAfGkHHb86XKi3iC0 by djcapelis@hachyderm.io
       2023-05-30T05:38:04Z
       
       0 likes, 0 repeats
       
       @mjg59 All true, but I also remember how many months/years it took to ratify, impose, and update all the various devices to recognize the last agreed upon penalty for CA misconduct.
       
 (DIR) Post #AWAg9KiwJAwO0R1a7M by matt@mastodon.bitcoin.ninja
       2023-05-30T05:42:25Z
       
       1 likes, 0 repeats
       
       @x_cli @mjg59 last I searched there aren’t any free options that will send me an email when someone registers a cert for one of my domains. To me that makes CT functionally useless.
       
 (DIR) Post #AWAg9M4bI7rUBuAOWG by matt@mastodon.bitcoin.ninja
       2023-05-30T05:44:07Z
       
       1 likes, 0 repeats
       
       @x_cli @mjg59 notably there’s about four sites that claim to offer this, three didn’t work or didn’t let me sign up when I tested, and one was Facebook, which doesn’t send you an email but a *facebook message* as a notice. I didn’t bother to test Facebook cause that’s just lulz.
       
 (DIR) Post #AWAgn2512rsnlZHShU by x_cli@infosec.exchange
       2023-05-30T05:54:49Z
       
       0 likes, 0 repeats
       
       @matt I believe you might want to look into this: https://github.com/SSLMate/certspotter
       
 (DIR) Post #AWAgn2i0ht4hiVWbTs by matt@mastodon.bitcoin.ninja
       2023-05-30T05:55:46Z
       
       1 likes, 0 repeats
       
       @x_cli “30 day free trial”. I don’t think that meets my criteria?
       
 (DIR) Post #AWAp3MsEIkrWWWbHMG by Specialist_Being_677@hachyderm.io
       2023-05-30T07:27:53Z
       
       0 likes, 0 repeats
       
       @mjg59 evergreen toot
       
 (DIR) Post #AWAqy6RWABro1aitpA by sima@chaos.social
       2023-05-30T07:49:19Z
       
       0 likes, 0 repeats
       
       @mjg59 since I had no idea I google a bit, and after a few mishits I think I figured it outit look like firefox doesn&#39;t validate these ct chains?https://developer.mozilla.org/en-US/docs/Web/Security/Certificate_Transparency
       
 (DIR) Post #AWAsBfRVRibQIFkXkO by mjg59@nondeterministic.computer
       2023-05-30T08:03:02Z
       
       0 likes, 0 repeats
       
       @sima Yeah Firefox is way behind the state of the art here :(
       
 (DIR) Post #AWAsuRHuv4NnQOc5Cq by krono@toot.berlin
       2023-05-30T08:10:59Z
       
       0 likes, 0 repeats
       
       @mjg59 Yes, for any given value of either  &quot;past decade&quot; or &quot;field&quot;
       
 (DIR) Post #AWAt2mH4mBu0pVCDAm by sima@chaos.social
       2023-05-30T08:11:54Z
       
       0 likes, 0 repeats
       
       @mjg59 uh yeah some wiki with plans to implement CT, last edit in ...2014😒
       
 (DIR) Post #AWAzXMHo37HWvlVEcy by Foxboron@chaos.social
       2023-05-30T09:25:06Z
       
       0 likes, 0 repeats
       
       @mjg59 @sima Is there any other browser then chrome/chromium based ones that does the CT validation at this point?
       
 (DIR) Post #AWBToNsSNraTPggF9c by tqbf@infosec.exchange
       2023-05-30T15:03:26Z
       
       0 likes, 0 repeats
       
       @mjg59 The trick in these threads is not to assume good faith, give only as much information as is needed, and let everybody else fill in the blanks. :)
       
 (DIR) Post #AWBY3aqErhHFmW9OqG by mjg59@nondeterministic.computer
       2023-05-30T15:51:48Z
       
       0 likes, 0 repeats
       
       @Foxboron @sima Safari
       
 (DIR) Post #AWBZuNpfaeJ9ciX3Pk by mjg59@nondeterministic.computer
       2023-05-30T16:12:45Z
       
       0 likes, 0 repeats
       
       @tqbf somewhat surprisingly I posted this before noticing that thread
       
 (DIR) Post #AWBa4V0fl8f4mPVC76 by Foxboron@chaos.social
       2023-05-30T16:13:14Z
       
       0 likes, 0 repeats
       
       @mjg59 @sima Ahh, I forget Safari exists
       
 (DIR) Post #AWBacau2M7SIu0ekGe by mjg59@nondeterministic.computer
       2023-05-30T16:20:43Z
       
       0 likes, 0 repeats
       
       @Foxboron @sima Chromium-derived + Safari is over 90% of the market (sadly), so it really is supported by most browsers in use
       
 (DIR) Post #AWBbOrmktF1FA9Ggwy by Foxboron@chaos.social
       2023-05-30T16:28:59Z
       
       0 likes, 0 repeats
       
       @mjg59 @sima Yes, I&#39;m totes on board with that metric. I was just unaware that Safari had support for this :)
       
 (DIR) Post #AWCJFvR2La7XrJel96 by undefinedgenderexception@eldritch.cafe
       2023-05-31T00:40:28Z
       
       0 likes, 0 repeats
       
       @mjg59 Uhhh, thanks for the heads up. A paper I’m writing rn just got updated to reflect this.