On Friday, 21 July 2017 01:13:15 UTC+1, Matthew Hardeman  wrote:
> As easily as that, one could definitely get a certificate issued without 
> breaking most of the internet, without leaving much of a trace, and without 
> failing domain validation.

One trace this would leave, if done using Let's Encrypt or several other 
popular CAs, is a CT log record. Google has pushed back its implementation 
date, but it seems inevitable at this point that certificates for ordinary web 
sites (as opposed to HTTPS APIs, SMTP, IRC, and so on) will need to be 
submitted for CT if you expect them to work much beyond this year. The most 
obvious way to achieve this is for the CA to submit automatically during or 
immediately after issuance.

Now, most likely the EFF (if your example) does not routinely check CT logs, 
and doesn't subscribe to any service which monitors the logs and reports new 
issuances. But a high value target certainly _should_ be doing this, and it 
significantly closes the window.

DNSSEC is probably the wiser precaution if you're technically capable of 
deploying it, but paying somebody to watch CT and tell you about all new 
issuances for domains you control doesn't require any technical steps, which 
makes it the attractive option if you're protective of your name but not 
capable of bold technical changes.
dev-security-policy mailing list

Reply via email to