- From: Ilari Liusvaara <ilariliusvaara@welho.com>
- Date: Fri, 10 May 2019 16:10:22 +0300
- To: HTTP Working Group <ietf-http-wg@w3.org>
On Fri, May 10, 2019 at 12:46:53PM +0200, Stefan Eissing wrote: > Christophe Brocas (@cbrocas), organizer of Pass-the-Salt security conference, tweeted > about checking HTTP server certificates against CT logs to detect very early if someone > successfully highjacked one of your domains. > > A renewed certificate is often not immediately used on a server but activated on the > next restart which can be several hours away. To check if a certificate mentioned in a > CT log, one would need to obtain information about upcoming certificates as well. If the certificate managment is automated, the time window between obtaining the certificate from CA and deploying it to production is typically much faster than few hours, typically few seconds to few tens of seconds, altough some setups deploy in sub-second timescales and some may take hundreds of seconds. This is because the clients typically reload the webserver after any run which changed the certificates (the craziest setups hot-reload from inotify, or something similar). Regarding using CT for highjack detection, there is proposed mechanisms for CT "gossip" where clients send recently seen certificates or pointers thereof to the webserver, which can then alert admins on reports of unknown publically trusted certificates. I do not think there are any concrete specifications about that however (only some drafts). -Ilari
Received on Friday, 10 May 2019 13:10:51 UTC