Mastodawn

Can I submit my "Tylenol & Rum" invoices directly to the CA/B Forum, or should I break it out for individual members?

#Heise:
"
"Passwort" Folge 40: Probleme mit Widerrufen, Verbindungsabbrüchen und anderem

Eine pickepackevolle Folge, gefüllt unter anderem mit kundigem Exploitbau unter Linux, einem HTTP2-DoS und millionenfachen Zertifikatsrückrufen von Microsoft.
"
https://www.heise.de/news/Passwort-Folge-40-Probleme-mit-Widerrufen-Verbindungsabbruechen-und-anderem-10632694.html

mp3: https://audio.podigee-cdn.net/2098722-m-7a844de5c304b67bf99d2ee327d88425.mp3

10.9.2025

Aaaa.. MS..

#CA #CertificateTransparency #Chrome #LetsEncrypt #Microsoft #MS #PKI #TLSZertifikat #WebPKI #Zertifikat

"Passwort" Folge 40: Probleme mit Widerrufen, Verbindungsabbrüchen und anderem

Eine pickepackevolle Folge, gefüllt unter anderem mit kundigem Exploitbau unter Linux, einem HTTP2-DoS und millionenfachen Zertifikatsrückrufen von Microsoft.

heise online

Peregrine Fleuré Tremayne Sep 4

For anyone who is panicking over certificate misissuance for #cloudflare 1.1.1.1: such "incidents" happen on a regular basis. For example #letsencrypt once had to revoke ~3M certs because their #CAA validation algorithm was faulty:

https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591

Name a #CA and you're definitely going to find cases of misissuance. The problem is the #WebPKI governance that's more than often just a paper tiger that doesn't impose any sanctions on the heavy weights.

2020.02.29 CAA Rechecking Bug

On 2020-02-29 UTC, Let’s Encrypt found a bug in our CAA code. Our CA software, Boulder, checks for CAA records at the same time it validates a subscriber’s control of a domain name. Most subscribers issue a certificate immediately after domain control validation, but we consider a validation good for 30 days. That means in some cases we need to check CAA records a second time, just before issuance. Specifically, we have to check CAA within 8 hours prior to issuance (per BRs §3.2.2.8), so any do...

Let's Encrypt Community Support

Peregrine Fleuré Tremayne Sep 4

#QWAC might be awful but that doesn't make existing trust stores in the #WebPKI better: the decisions are basically made by going though a checklist and having some random people approve your application.

Anisse Aug 21

CRLite is a fascinating piece of technology by Mozilla to handle revocations on the WebPKI, in a privacy-friendly and bandwidth ~friendy approach: it uses a new compact data-structure called Clubcards (basically Ribbon filters (enhanced Bloom filters) with partitionning): https://hacks.mozilla.org/2025/08/crlite-fast-private-and-comprehensive-certificate-revocation-checking-in-firefox/

#RustLang #WebPKI #revocation #CRLite #clubcard #Firefox

CRLite: Fast, private, and comprehensive certificate revocation checking in Firefox – Mozilla Hacks - the Web developer blog

Firefox is now the first and the only browser to deploy fast and comprehensive certificate revocation checking that does not reveal your browsing activity to anyone (not even to Mozilla). ...

Mozilla Hacks – the Web developer blog

GripNews Jul 8

🌖 您應該運行一個證書透明度日誌
➤ 提升網路安全，人人皆可參與
✤ https://words.filippo.io/run-sunlight/
本文探討了運行證書透明度 (CT) 日誌的重要性，並指出在儲存和頻寬成本降低，以及新的技術支援下，現在比以往更容易且更具價值。CT 日誌有助於維護網站安全，確保憑證授權機構 (CA) 的誠信，並讓網站擁有者能及時發現未經授權的憑證發行。作者鼓勵具備閒置資源或希望驗證技術能力的工程師考慮運行 CT 日誌，這對整個網路安全生態系統將有重大貢獻。
+ 我一直以為運行這樣的日誌需要大量的資源和專業知識，沒想到現在變得這麼容易了！這確實是一個非常有意義的舉措。
+ 這篇文章讓我意識到 CT 日誌在網路安全中的重要性。我會考慮看看我的伺服器是否適合運行一個。
#網路安全 #證書透明度 #WebPKI

You Should Run a Certificate Transparency Log

Maybe you, yes you, should run a Certificate Transparency log. It’s cheaper, easier, and more important than ever.

Show thread

Peregrine Fleuré Tremayne Jun 26

Within the #WebPKI, the "common name" is widely irrelevant afaik:

https://infosec.exchange/@pft/114745413874521644

So the question is: what are the circumstances that can pose a security risk if IP addresses are included in the CN field.

:hacker_p: :hacker_f: :hacker_t: (@pft@infosec.exchange)

Attached: 1 image @hrbrmstr@mastodon.social do they? There is even an ancient RFC that explicitly advises against considering CN in validation (I have to dig it up though...). CA/Browser Forum also mandates SAN in the baseline requirements (see image) and some CAs do not even fill CN in.

Infosec Exchange

waldi Jun 20

I have to ask if this is a bad use of resources to run a #WebPKI CA:
"SSL certificates are not the core business of $COMPANY; In total, only 20 certificates are currently valid"

Seirdy Jan 26

Firefox 136 looks poised to enforce Certificate Transparency.

It may be late, but combined with CRLite (and its other Web PKI progress), it may soon be the browser with the most robust Web PKI support.

While I would still say that Chromium generally wins on the security front, I’m happy to see the gap narrow with time and to see Firefox occasionally inch ahead in some areas.

Originally posted on seirdy.one: See Original (POSSE). #Firefox #WebPKI

1927085 - Enforce Certificate Transparency in release on desktop

RESOLVED (dkeeler) in Core - Security: PSM. Last updated 2025-01-24.

waldi Jan 3

Hmm. #CERTBUND had just revoked their main #WebPKI certificate:

https://crt.sh/?id=12765055285

It seems, some browsers actually get this information, mine don't.

crt.sh | 12765055285

Free CT Log Certificate Search Tool from Sectigo (formerly Comodo CA)