Talk:Certificate Transparency

Latest comment: 2 months ago by Mcgyver5 in topic Shall we mention the header Expect-CT?
edit

https://groups.google.com/a/chromium.org/forum/#!msg/ct-policy/wHILiYf31DE/iMFmpMEkAQAJ

O'Brien, Devon (7 February 2018). "Certificate Transparency Enforcement in Google Chrome". Google Groups. Retrieved 18 December 2019. — Preceding unsigned comment added by Zabuch (talkcontribs) 11:34, 20 December 2021 (UTC)Reply

The link is available. Shoeper (talk) 00:40, 24 February 2022 (UTC)Reply

edit

Hello fellow Wikipedians,

I have just added archive links to one external link on Certificate Transparency. Please take a moment to review my edit. If necessary, add {{cbignore}} after the link to keep me from modifying it. Alternatively, you can add {{nobots|deny=InternetArchiveBot}} to keep me off the page altogether. I made the following changes:

When you have finished reviewing my changes, please set the checked parameter below to true to let others know.

 Y An editor has reviewed this edit and fixed any errors that were found.

  • If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
  • If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—cyberbot IITalk to my owner:Online 17:22, 31 December 2015 (UTC)Reply

Shall we mention the header Expect-CT?

edit

Not sure whether the Expect-CT header is in scope, but HTTP Public Key Pinning has a link named "Expect-CT" to this article. Readers may get confused when clicking that link only to see nothing about Expect-CT. --Franklin Yu (talk) 18:52, 31 October 2018 (UTC)Reply

I think it would be useful. Shoeper (talk) 00:42, 24 February 2022 (UTC)Reply

According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT, this header is deprecated as it was once a way to opt-in to Certificate Transparency. Now, most browsers support CT by default. Expect-CT header was only supported by Chromium based browsers. Tim (talk) 01:11, 1 September 2024 (UTC)Reply

Incorrect information: CT is not a competing technology to OCSP

edit

The Advantages section says that "Certificate Transparency does not require side channel communication to validate certificates as do some competing technologies such as Online Certificate Status Protocol (OCSP)".

CT is a "who watches the watchers" mechanism to monitor certs issued by CAs and notice fraudulent ones faster (so they can then be revoked). OCSP is a mechanism for a CA to tell a browser when a certificate is revoked. These are not competing, in fact they are complementary.

And yes, I'm aware that in their 2017 deprication notice / talk for HPKP, Google urged people to migrate to CT instead. While they both increase trust in certificates and reduce fraud in general, I don't really agree that they solve the same technical problem :P

I agree. Its also a little bit misleading as CT does not provide any means of revocation, it only helps a site owner to identify illigitemit certificates. Shoeper (talk) 00:48, 24 February 2022 (UTC)Reply

Is side channel communication necessary to benefit from CT ?

edit

The article reads: Certificate Transparency does not require side channel communication to validate certificates.
I doubt the validity of this unsourced statement:
If a CA was silently compromised and a fraudulent SSL certificate created and used by a hacker in the middle of the communication, that fact can only become known to the client browser if it checks the CRL (which would yield no revocation yet because the CA compromise is still unnoticed) and the CT log (which would miss the expected hash and cause the client browser to reject the fraudulent certificate). This means the client browser must contact the CRL server and the CT log server, which makes two side channel communications.
Am I in error with this argument or is the cited statement really wrong ? -- Juergen 94.134.41.237 (talk) 16:03, 8 October 2020 (UTC)Reply

You are right. Shoeper (talk) 00:49, 24 February 2022 (UTC)Reply

Statement in lead

edit

Hello @WikiLinuz:, you recently reverted one of my edits without any explanation. In my original edit I replaced the following text:

As of 2021, Certificate Transparency is mandatory for all publicly trusted TLS certificates, but not other types of certificates.[1][2]

and instead wrote

Google Chrome requires Certificate Transparency for all publicly trusted TLS certificates issued after April 2018.[2]
  1. ^ Call, Ashley (2015-06-03). "Certificate Transparency: FAQs | DigiCert Blog". DigiCert. Retrieved 2021-04-13.
  2. ^ a b O'Brien, Devon (7 February 2018). "Certificate Transparency Enforcement in Google Chrome". Google Groups. Retrieved 18 December 2019.

My reasoning was:

1. I removed DigiCert source because it actually directly contradicts the sentence (in either variation). This is because the source is from 2015 and stuff changed since then. Removal of old sources is consistent with Wikipedia:OLDSOURCES.
2. I directly referred to Google Chrome because it is the actual browser described in the only provided reliable source. Other browsers behave slightly differently, as described here.
3. I added "issued after Abril 2018" because that is how Google Chrome does it, it does not require CT for certificates issued before the new rules took effect. In fact, there are still some TLS certificates used in the wild which are not CT compliant. These certificates were issued prior to 30 April 2018 with 5-year validity period and will be valid until 2023.
4. I removed "but not other types of certificates" because this implies no other types of certificates use CT. This is false because CT can accommodate any kind of certificates, including code signing, document signing, email signing, client identity, etc. Some companies run internal CT logs; yes, these logs might be less known by general public because they are not listed in CCADB, but they still exist.

Could you please clarify why you reverted the edit? Was it a mistake? Can I change it back? Anton.bersh (talk) 20:42, 14 February 2022 (UTC)Reply

Actually that sentence is currently wrong. It is not required for all public certificates. Only Edge, Apple and Google Chrome check it. Neither CA Browser Forum requires it, nor Firefox is checking or requiring it. (Regarding Apple see https://support.apple.com/en-us/HT205280) --Shoeper (talk) 14:20, 22 February 2022 (UTC)Reply
Yes, Shoeper, of course the lead is currently wrong because it is too general. I tried to fix it by making it specifically about Google Chrome, using sources about Google Chrome. Anton.bersh (talk) 14:38, 22 February 2022 (UTC)Reply
I'm just trying to support your argument. I came to the discussion page because of the false statement in the page. Browser CT checking can be tested at: https://no-sct.badssl.com/ (browsers checking CT reject connecting, others connect). — Preceding unsigned comment added by Shoeper (talkcontribs) 15:40, 22 February 2022 (UTC)Reply
Thanks for clarification, I was confused about which sentence you were referring to when you said "Actually that sentence is currently wrong." Also, I can update article to include information about Edge, Firefox, and Safari. Anton.bersh (talk) 17:36, 22 February 2022 (UTC)Reply