So the problem as I'm understanding it is the CAs should have looked at what was being sent back by the 'dodo' log and rejected it, but they did not reject it, they just embedded it in the certificate and continued as normal.
I was curious to see what this looked like and it's a relatively simple openssl command:
The "CT Precertificate SCTs:" section is at the bottom of the output.
> It's unfortunate that certificate authorities cannot be relied upon to validate the information they place in their certificates. This means that site owners need to vigilant about the mistakes made by CAs: both mistakes that lead to attackers getting certificates for your domains, and mistakes that cause your certificates to not work in browsers.
What is unfortunate is that the vendors keep coming up with additional patchwork to fix complacency in an industry that's not primarily incentivized towards security but towards building moats. After a few more incidents like this, they will realize that CTLogs are a critical infrastructure, prone to human problems, and more patchwork to add to the burden, but accepted as long as they keep their moats. At no point does the end-user's preferences come into the picture, that they might want to be the one to choose which certificates or individual websites to trust.
Anyway mini-rant side, perhaps the next round of bandaid will be a "meta-certbot" which continuously looks for notifications regarding similar security events, which then knows to rotate certs that could be affected — after all in this case not many site operators wouldn't know there's a problem until it appears.
I was curious to see what this looked like and it's a relatively simple openssl command:
The "CT Precertificate SCTs:" section is at the bottom of the output.> It's unfortunate that certificate authorities cannot be relied upon to validate the information they place in their certificates. This means that site owners need to vigilant about the mistakes made by CAs: both mistakes that lead to attackers getting certificates for your domains, and mistakes that cause your certificates to not work in browsers.
What is unfortunate is that the vendors keep coming up with additional patchwork to fix complacency in an industry that's not primarily incentivized towards security but towards building moats. After a few more incidents like this, they will realize that CTLogs are a critical infrastructure, prone to human problems, and more patchwork to add to the burden, but accepted as long as they keep their moats. At no point does the end-user's preferences come into the picture, that they might want to be the one to choose which certificates or individual websites to trust.
Anyway mini-rant side, perhaps the next round of bandaid will be a "meta-certbot" which continuously looks for notifications regarding similar security events, which then knows to rotate certs that could be affected — after all in this case not many site operators wouldn't know there's a problem until it appears.