Talk:Certificate Transparency

This article is rated C-class on Wikipedia's content assessment scale. It is of interest to the following WikiProjects:

Cryptography: Computer science High‑importance This article is within the scope of WikiProject Cryptography, a collaborative effort to improve the coverage of Cryptography on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks. High This article has been rated as High-importance on the importance scale. This article is supported by WikiProject Computer science (assessed as High-importance). Computing: Networking / Software Low‑importance This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks. Low This article has been rated as Low-importance on the project's importance scale. This article is supported by Networking task force (assessed as Mid-importance). This article is supported by WikiProject Software (assessed as Low-importance). Computer Security: Computing High‑importance This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks. High This article has been rated as High-importance on the project's importance scale. This article is supported by WikiProject Computing (assessed as Low-importance). Things you can help WikiProject Computer Security with: Article alerts will be generated shortly by AAlertBot. Please allow some days for processing. More information... Answer question about Same-origin_policy Review importance and quality of existing articles Identify categories related to Computer Security Tag related articles Identify articles for creation (see also: Article requests) Identify articles for improvement Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc. Find editors who have shown interest in this subject and ask them to take a look here.

External link no longer available

Latest comment: 2 years ago2 comments2 people in discussion

https://groups.google.com/a/chromium.org/forum/#!msg/ct-policy/wHILiYf31DE/iMFmpMEkAQAJ

O'Brien, Devon (7 February 2018). "Certificate Transparency Enforcement in Google Chrome". Google Groups. Retrieved 18 December 2019. — Preceding unsigned comment added by Zabuch (talk • contribs) 11:34, 20 December 2021 (UTC)Reply

The link is available. Shoeper (talk) 00:40, 24 February 2022 (UTC)Reply

External links modified

Latest comment: 8 years ago1 comment1 person in discussion

Hello fellow Wikipedians,

I have just added archive links to one external link on Certificate Transparency. Please take a moment to review my edit. If necessary, add {{cbignore}} after the link to keep me from modifying it. Alternatively, you can add {{nobots|deny=InternetArchiveBot}} to keep me off the page altogether. I made the following changes:

• Added archive https://web.archive.org/20131010015324/http://www.darkreading.com/privacy/digicert-announces-certificate-transpare/240161779 to http://www.darkreading.com/privacy/digicert-announces-certificate-transpare/240161779

When you have finished reviewing my changes, please set the checked parameter below to true to let others know.

 Y An editor has reviewed this edit and fixed any errors that were found.

• If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
• If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—^{cyberbot II}_{Talk to my owner:Online} 17:22, 31 December 2015 (UTC)Reply

Shall we mention the header Expect-CT?

Latest comment: 2 years ago2 comments2 people in discussion

Not sure whether the Expect-CT header is in scope, but HTTP Public Key Pinning has a link named "Expect-CT" to this article. Readers may get confused when clicking that link only to see nothing about Expect-CT. --Franklin Yu (talk) 18:52, 31 October 2018 (UTC)Reply

I think it would be useful. Shoeper (talk) 00:42, 24 February 2022 (UTC)Reply

Incorrect information: CT is not a competing technology to OCSP

Latest comment: 2 years ago1 comment1 person in discussion

The Advantages section says that "Certificate Transparency does not require side channel communication to validate certificates as do some competing technologies such as Online Certificate Status Protocol (OCSP)".

CT is a "who watches the watchers" mechanism to monitor certs issued by CAs and notice fraudulent ones faster (so they can then be revoked). OCSP is a mechanism for a CA to tell a browser when a certificate is revoked. These are not competing, in fact they are complementary.

And yes, I'm aware that in their 2017 deprication notice / talk for HPKP, Google urged people to migrate to CT instead. While they both increase trust in certificates and reduce fraud in general, I don't really agree that they solve the same technical problem :P

I agree. Its also a little bit misleading as CT does not provide any means of revocation, it only helps a site owner to identify illigitemit certificates. Shoeper (talk) 00:48, 24 February 2022 (UTC)Reply

Is side channel communication necessary to benefit from CT ?

Latest comment: 2 years ago2 comments2 people in discussion

The article reads: Certificate Transparency does not require side channel communication to validate certificates.
I doubt the validity of this unsourced statement:
If a CA was silently compromised and a fraudulent SSL certificate created and used by a hacker in the middle of the communication, that fact can only become known to the client browser if it checks the CRL (which would yield no revocation yet because the CA compromise is still unnoticed) and the CT log (which would miss the expected hash and cause the client browser to reject the fraudulent certificate). This means the client browser must contact the CRL server and the CT log server, which makes two side channel communications.
Am I in error with this argument or is the cited statement really wrong ? -- Juergen 94.134.41.237 (talk) 16:03, 8 October 2020 (UTC)Reply

You are right. Shoeper (talk) 00:49, 24 February 2022 (UTC)Reply

Statement in lead

Latest comment: 2 years ago5 comments2 people in discussion

Hello @WikiLinuz:, you recently reverted one of my edits without any explanation. In my original edit I replaced the following text:

As of 2021, Certificate Transparency is mandatory for all publicly trusted TLS certificates, but not other types of certificates.^[1][2]

and instead wrote

Google Chrome requires Certificate Transparency for all publicly trusted TLS certificates issued after April 2018.^[2]

1. Call, Ashley (2015-06-03). "Certificate Transparency: FAQs | DigiCert Blog". DigiCert. Retrieved 2021-04-13.
2. O'Brien, Devon (7 February 2018). "Certificate Transparency Enforcement in Google Chrome". Google Groups. Retrieved 18 December 2019.

My reasoning was:

1. I removed DigiCert source because it actually directly contradicts the sentence (in either variation). This is because the source is from 2015 and stuff changed since then. Removal of old sources is consistent with Wikipedia:OLDSOURCES.

2. I directly referred to Google Chrome because it is the actual browser described in the only provided reliable source. Other browsers behave slightly differently, as described here.

3. I added "issued after Abril 2018" because that is how Google Chrome does it, it does not require CT for certificates issued before the new rules took effect. In fact, there are still some TLS certificates used in the wild which are not CT compliant. These certificates were issued prior to 30 April 2018 with 5-year validity period and will be valid until 2023.

4. I removed "but not other types of certificates" because this implies no other types of certificates use CT. This is false because CT can accommodate any kind of certificates, including code signing, document signing, email signing, client identity, etc. Some companies run internal CT logs; yes, these logs might be less known by general public because they are not listed in CCADB, but they still exist.

Could you please clarify why you reverted the edit? Was it a mistake? Can I change it back? Anton.bersh (talk) 20:42, 14 February 2022 (UTC)Reply

Actually that sentence is currently wrong. It is not required for all public certificates. Only Edge, Apple and Google Chrome check it. Neither CA Browser Forum requires it, nor Firefox is checking or requiring it. (Regarding Apple see https://support.apple.com/en-us/HT205280) --Shoeper (talk) 14:20, 22 February 2022 (UTC)Reply

Yes, Shoeper, of course the lead is currently wrong because it is too general. I tried to fix it by making it specifically about Google Chrome, using sources about Google Chrome. Anton.bersh (talk) 14:38, 22 February 2022 (UTC)Reply

I'm just trying to support your argument. I came to the discussion page because of the false statement in the page. Browser CT checking can be tested at: https://no-sct.badssl.com/ (browsers checking CT reject connecting, others connect). — Preceding unsigned comment added by Shoeper (talk • contribs) 15:40, 22 February 2022 (UTC)Reply

Thanks for clarification, I was confused about which sentence you were referring to when you said "Actually that sentence is currently wrong." Also, I can update article to include information about Edge, Firefox, and Safari. Anton.bersh (talk) 17:36, 22 February 2022 (UTC)Reply