Show threadپویان Pouyan May 6

I could verify this using data from @cloudflareradar data:

https://radar.cloudflare.com/tlds/de?dateRange=2d#certificate-issuance-volume

You can see the sharp drop in #certificate issuance during the period that #de #TLD was having #DNSSEC issues.

This is actually good news. It indicates that CAs are using DNSSEC for domain validation.

#webpki #x509 #pki #denic

پویان Pouyan May 5

Side effect of #DNSSEC failure in .de: no #certificate can be issued as well for the .de namespace.

At least theoretically, iff #CA s properly perform DNSSEC validation:

https://cabforum.org/2025/06/18/ballot-sc-085v2-require-validation-of-dnssec-when-present-for-caa-and-dcv-lookups/

#webpki #x509 #denic

Ballot SC-085v2: Require Validation of DNSSEC (when present) for CAA and DCV Lookups

Voting Results Certificate Issuers 25 votes in total:

CA/Browser Forum
kravietz 🦇May 3

#DigiCert customer support compromised with .scr ZIP attachment 🤷

During our investigation between 2026-04-14 and 2026-04-17, as DigiCert identified certificates potentially affected by the threat actor’s actions, we revoked them. DigiCert revoked 60 certificates issued from the following CAs:

  • DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1
  • DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
  • GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1
  • Verokey High Assurance Secure Code EV

https://bugzilla.mozilla.org/show_bug.cgi?id=2033170

#x509 #infosec

2033170 - DigiCert: Misissued code signing certificates

ASSIGNED (dcbugzillaresponse) in CA Program - CA Certificate Compliance. Last updated 2026-05-05.

JP MensApr 30

All 454,436 certificates have been revoked.

https://bugzilla.mozilla.org/show_bug.cgi?id=2033000

#X509

2033000 - SwissSign: Certificate Profile error for S/MIME MV

ASSIGNED (sandy.balzer) in CA Program - CA Certificate Compliance. Last updated 2026-04-27.

John KristoffApr 24

Weekend Reads

* DDoS scrubbing in BGP
https://labs.ripe.net/author/shyam-krishna-khadka/understanding-ddos-scrubbing-in-bgp-five-leading-scrubbers/
* Revocation of X.509 certs
https://blog.apnic.net/2026/04/24/revocation-of-x-509-certificates/
* Mobile telecom surveillance actors
https://citizenlab.ca/research/uncovering-global-telecom-exploitation-by-covert-surveillance-actors/
* Signalgate socio-technical analysis
https://arxiv.org/abs/2604.19711
* Inside a fake shops bulletproof host
https://www.netcraft.com/blog/fibergrid-inside-the-bulletproof-host

#BGP #DDoS #X509 #Cellular #Signal #Infosec

Understanding DDoS Scrubbing in BGP: Five Leading Scrubbers

DDoS mitigation often relies on BGP for "scrubbing", but how this appears in routing data is not well understood. We analyse five major providers to distinguish between always-on and on-demand protection, showing how mitigation manifests in practice and what it means for routing visibility and RPKI.

RIPE Labs
Dataplane.orgApr 5

The Internet Last Week

* DigiCert CA bundle expiry
https://help.duo.com/s/article/9451
* Various US DoD route updates
https://www.cidr-report.org/cgi-bin/as-report?as=AS306
https://stat.ripe.net/widget/routing-history#resource=306&starttime=2026-03-29
https://www.cidr-report.org/cgi-bin/as-report?as=AS721
https://stat.ripe.net/widget/routing-history#resource=721&starttime=2026-03-29
https://www.cidr-report.org/cgi-bin/as-report?as=AS27064
https://stat.ripe.net/widget/routing-history#resource=27064&starttime=2026-03-29
https://www.cidr-report.org/cgi-bin/as-report?as=AS27065
https://stat.ripe.net/widget/routing-history#resource=27065&starttime=2026-03-29
* Quad9 enables DoH3 and DoQ
https://quad9.net/news/blog/quad9-enables-dns-over-http-3-and-dns-over-quic/

#DigiCert #X509 #BGP #USDoD #Quad9 #DNS

Knowledge Base | Duo Security

Dataplane.orgMar 22

The Internet Last Week

* IETF 125
https://www.ietf.org/meeting/125/
* Cuba power outage effects
https://noc.social/@cloudflareradar/116240190351546459
https://mastodon.social/@IODA/116246041272623316
https://infosec.exchange/@dougmadory/116240466331483809
https://mastodon.social/@netblocks/116240861464667713
* IoT DDoS botnets disrupted
https://www.justice.gov/usao-ak/pr/authorities-disrupt-worlds-largest-iot-ddos-botnets-responsible-record-breaking-attacks
* Unallocated IP4 /13 announced
https://infosec.exchange/@spamhaus/116250561577999852
https://bgp.he.net/net/102.224.0.0/13
https://stat.ripe.net/widget/routing-history#resource=102.224.0.0/13&starttime=2026-03-15
* CAs must perform DNSSEC validation
https://cabforum.org/2025/06/18/ballot-sc-085v2-require-validation-of-dnssec-when-present-for-caa-and-dcv-lookups/
https://infosec.exchange/@mnordhoff/116240122433847371

#IETF125 #Cuba #Botnets #Bogons #DNSSEC #X509

IETF 125 Shenzhen

Information about the IETF 125 Shenzhen meeting on 14-20 March 2026.

IETF
Pontiff Fractal TiamJan 14

RE: https://infosec.exchange/@paulehoffman/115889970411988081

Side note: this is why things like "multi-perapective corroboration" for domain validation do not work.

When every single packet to .ir nameservers and servers inside Iran pass through two (yes, 2!) gateways, then those controlling the gateways can acquire a valid domain validation certificate for any .ir domain or any server located in Iran.

#x509 #dns #dnssec #certificate

ARGVMI~1.PIFDec 10

TIL that, if your #OpenVPN peer uses a self-signed certificate, you can set the --ca option to that self-signed #certificate. Even though it is not actually marked as a CA certificate, this will work anyway.

Presumably because that technically *is* the CA of the peer's certificate. A self-signed certificate lists itself as the issuing CA. That's why it's called “self-signed”.

#x509

Pontiff Fractal TiamDec 7

RE: https://abyssdomain.expert/@filippo/115674985400164090

An archive of all CT-logged certificates with all the tools needed for an analysis! No more scraping.

#ctlog #x509 #certificate