Comment by agwa

3 years ago

If the CA doesn't log a certificate, the certificate won't work in CT-enforcing clients (Chrome, Safari, Edge) because it lacks receipts (SCTs) from CT logs.

If a log fails to publish a certificate despite issuing a receipt for it, Chrome's SCT auditing infrastructure can detect that, as it did recently with the Nessie 2023 log: https://groups.google.com/a/chromium.org/g/ct-policy/c/5x1A6... (this was also detected by monitors operated by myself and Cloudflare)

But this is all moot when it comes to XMPP, since XMPP clients don't check for SCTs, and there is no requirement for CAs to log certificates if they don't need to work in non-CT-enforcing clients. Some CAs (e.g. DigiCert) will sell you unlogged certificates - no need to compel them.

tldr: situation is good and improving with browsers, not so much with non-browser clients

XMPP has some adoption of channel binding (it could be better, but it's heading in the right direction) which mitigates these kinds of attacks in a different way. It is able to do that because the client and server already share a secret (the user's credentials), unlike most HTTP clients/servers (at least as far as the protocol is concerned).

But SCT validation would indeed be something we should investigate for the ecosystem, it could be beneficial for certain use cases.

  • It may be better for the XMPP ecosystem to focus on increasing adoption of channel binding rather than CT enforcement. I wrote briefly about the challenges faced by non-browser clients at <https://news.ycombinator.com/item?id=36436303> but the tldr is that all SCT-checking clients have to be able to respond to ecosystem changes very quickly. This is so important that Chrome and Safari both disable SCT checking entirely if the browser hasn't been updated in more than 10 weeks.

    Feel free to contact me (email in profile) or ask here if you want to talk more about this. I use XMPP (thank you for Prosody!) and have been involved in the CT space for many years now.

    • > but the tldr is that all SCT-checking clients have to be able to respond to ecosystem changes very quickly.

      This is fine. If you're using a tool that's connecting to the internet, you probably need to monitor for updates anyway.

      I'd like to see a separate package, similar to Mozilla's `ca-certificates`, but for CT that can be updated independently of the actual useragent.

      1 reply →