On Friday, 21 July 2017 01:13:15 UTC+1, Matthew Hardeman wrote: > As easily as that, one could definitely get a certificate issued without > breaking most of the internet, without leaving much of a trace, and without > failing domain validation.
One trace this would leave, if done using Let's Encrypt or several other popular CAs, is a CT log record. Google has pushed back its implementation date, but it seems inevitable at this point that certificates for ordinary web sites (as opposed to HTTPS APIs, SMTP, IRC, and so on) will need to be submitted for CT if you expect them to work much beyond this year. The most obvious way to achieve this is for the CA to submit automatically during or immediately after issuance. Now, most likely the EFF (if your example) does not routinely check CT logs, and doesn't subscribe to any service which monitors the logs and reports new issuances. But a high value target certainly _should_ be doing this, and it significantly closes the window. DNSSEC is probably the wiser precaution if you're technically capable of deploying it, but paying somebody to watch CT and tell you about all new issuances for domains you control doesn't require any technical steps, which makes it the attractive option if you're protective of your name but not capable of bold technical changes. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
