Comment by Gigachad
3 hours ago
This is stopped by certificate transparency logs. Your software should refuse to accept a certificate which hasn’t been logged in the transparency logs, and if a rogue CA issues a fraudulent certificate, it will be detected.
Certificate transparency doesn't prevent misissuance, it only makes detection easier after the fact. Someone still needs to be monitoring CT and revoke the cert. I actually believe most HTTP stacks on Android don't even check cert revocations by default.