Twitter | Pretraživanje | |
Andrew Ayer 20. stu
ICYMI: last week I rolled out a HUGE upgrade to Cert Spotter. Now that the post-rollout craziness has subsided, let me tell you about my favorite new features... (1/9)
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer 20. stu
Odgovor korisniku/ci @__agwa
First: expiration monitoring! Cert Spotter now monitors every one of your domains and sub-domains found in CT logs and alerts you about expiring certificates - whether it's a forgotten manual certificate, or a broken automated certificate. (2/9)
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer 20. stu
Odgovor korisniku/ci @__agwa
If the endpoint is running a public HTTPS server, Cert Spotter checks the expiration date of the live certificate. Otherwise, it looks in CT logs to see if the certificate has been renewed. (Coming soon: monitoring for other installation errors, like missing intermediates.) (3/9)
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer 20. stu
Odgovor korisniku/ci @__agwa
Second: say goodbye to alert fatigue! I know you're busy, so I only want to bother you when there's really a problem. If you trust some CAs, you can choose not to be alerted about their certificates. Trusting the 1-3 CAs that you use is WAY better than trusting all 100+. (4/9)
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer 20. stu
Odgovor korisniku/ci @__agwa
Or, if your issuance is automated, there's an API for telling Cert Spotter about your legitimate certificates so you won't be alerted about them. Imagine: plugins for Certbot, Caddy, etc. that automatically authorize all certs that they issue! (5/9)
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer 20. stu
Odgovor korisniku/ci @__agwa
Third: Cert Spotter now tells you who REALLY issued a certificate, and who you need to contact to get it revoked, which will reduce confusion and save you precious time responding to an unwanted certificate. (6/9)
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer 20. stu
Odgovor korisniku/ci @__agwa
It doesn't sound hard to figure out who issued a certificate, but because of all the acquisitions and obscure business arrangements in the WebPKI, you often needed to be a WebPKI expert to figure it out. Now you can just use Cert Spotter. (7/9)
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer 20. stu
Odgovor korisniku/ci @__agwa
This minor feature was hard to implement but will have a big impact on making Certificate Transparency more usable by non-experts. Other monitors will tell you that a certificate was issued by a company that isn't a certificate authority, or hasn't existed for a decade. (8/9)
Reply Retweet Označi sa "sviđa mi se"
Andrew Ayer 20. stu
Odgovor korisniku/ci @__agwa
Do you want monitoring that will prevent downtime, improve your security, while being easy to use? Sign up for Cert Spotter here: (9/9)
Reply Retweet Označi sa "sviđa mi se"
Royce Williams
Sweet! Re trusted CAs - are you analyzing CAA records to inform that?
Reply Retweet Označi sa "sviđa mi se" More
Andrew Ayer 20. stu
Odgovor korisniku/ci @TychoTithonus
When you sign up, the list is automatically populated based on your CAA records. Currently, that's the only time CAA is checked. Since DNS is unauthenticated and non-transparent, I don't want to silently change the authorized CA list based on CAA lookups.
Reply Retweet Označi sa "sviđa mi se"
Royce Williams 20. stu
Odgovor korisniku/ci @__agwa
Totally understood - but maybe something advisory, and visible to the user, could be helpful. If there is a mismatch between CAA and the authorized CA list, that would be very useful to know. Just throwing it out there.
Reply Retweet Označi sa "sviđa mi se"