ca-bundle
certificate-transparency
ca-bundle | certificate-transparency | |
---|---|---|
13 | 11 | |
231 | 855 | |
- | - | |
4.1 | 0.0 | |
about 2 months ago | 9 months ago | |
C++ | ||
- | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
ca-bundle
-
Verified Curl
Again, strange attitude, given that he personally had legal issues with US in the past, the reasons for which were never disclosed[1].
Typical good developers are not Rambo. When law enforcers come to them and force them at gunpoint to make them commit/add a new maintainer, they should not expect active resistance. Minor reminder: curl is not just some http library, they maintain their own CA list[2]. They don't need any intricate hidden lines for backdoor, CA list is a backdoor on its own.
[1] https://daniel.haxx.se/us-visa.html
[2] https://curl.se/docs/caextract.html
-
I make the same mistake too, sometimes.
Here are some examples from the ones on most Linux distros (Apple and Microsoft's lists are very similar):
-
Kreait php realtime database cannot get reference!! (cURL 60 error).
Go to the cURL official site and download the latest cacert.pem file. It's linked near the top of this page: https://curl.se/docs/caextract.html
- How come cURL Is Not Outputting?
-
Add trusted root certificate for POST requests (LetsEncrypt)
Haven't tried it myself but curl offers the certificate store used by Mozilla Firefox as a download.
-
ND/NGD : Let's Encrypt root certificate expiration thread!
I used the cacert.pem from https://curl.se/docs/caextract.html, as suggested by the NZBGet documentation. Is there a difference between these two cacert.pem files? Is one better than the other?
-
Did the Let's Encrypt DST CA X3 Root Certificate expiration break anything for you? On Debian 8 (which you should have deprecated by now), you'll have to disable it as well as install the new ISRG certificate or else it will show all Let's Encrypt Certificates as expired.
https://curl.se/docs/caextract.html and running update-ca-certificates
- I feel like this should be simple??
- Xampp works on my desktop but not on my laptop. More in comments
-
Interacting with Postmarkapp.com's DMARC API
For anyone who's interested, here's the code for a Windows batch file to interact with all of the API functions for Postmarkapp's DMARC monitoring API (apologies, this will make the post a bit long). Prerequisites: cURL with a CA bundle:
certificate-transparency
-
Google Pixel Binary Transparency: verifiable security for Pixel devices
Recently I developed a presentation about immutability as a design concept in computer security. As part of it, I have slides which cover Certificate Transparency implementation[0], which uses Trillian[1] as a distributed ledger. Part of Trillian's documentation includes a Firmware Transparency[2] example. For the year or so I've been aware of it, I've thought that it's a great idea, and wondered if it would ever grow as a project/practice. Digging through the links in this announcement, it appears Trillian is the basis for the distributed ledger here. Glad to see the idea has been taken further by Google.
[0] https://certificate.transparency.dev/
[1] https://transparency.dev/
[2] https://github.com/google/trillian-examples/tree/master/bina...
-
Google and HTTP
> They could say that your certificate passes validation while, in fact, said security has been already tampered with on your side, giving your website's visitors a sense of false security.
This isn't how the Web PKI works. In order to tamper with your site's traffic, Let's Encrypt (or another CA) would need to issue another certificate for your site with a key that they (rather than you) control. This would be detected via CT[1], which your browser (unless it's Firefox) is already using
And note: by design, any CA in the trusted set can already do this, regardless of whether you use them or not. The things that are stopping them are that it's (1) not in their interest to do so, (2) it's detectable due to CT, and (3) would result in their root being hell-banned by the browsers.
[1]: https://certificate.transparency.dev/
-
Let's Encrypt Acme API Outage
You are correct: https://github.com/google/certificate-transparency/blob/mast...
You can embed CT attestations (SCTs) in the certificate itself, so yes, provided the CA is in cooperation with CT log operators, and deliberately does the pre-certificate -> SCTs -> real certificate dance, it is possible for a browser to validate embedded SCTs without an online check.
However, that assumes that the CA actively does that, they don't have to. Neither does the server. What's compelling them to is _policy_, set by Google and Apple, that their respective browsers won't accept certificates _without_ CT attestations. Google's policy specifically requires that one of the SCTs on a certificate must be a CT log run by Google. Google also controls the list of CT logs that Chrome will consider as valid CT logs, as part of deciding if an SCT is valid. Antitrust, anyone?
I was trying to make a similar point about Firefox - policy vs code. And rather than saying that it's specifically the CA/Browser Forum setting policy (which it does, but only baseline policy, which does not include CT), each org in the CA/Browser Forum has their own root cert inclusion program with their own policies, that all draw from baseline policy then add to it. You are right, _baseline_ policy does not require CT....
... and neither does _Mozilla's_ policy, now I've scanned through it. It actively acknowledges that CT exists (in that it mandates that if you issue a precertificate for CT, you _must_ issue the completed certificate), but it does _not_ require CAs to use CT. In stark contrast to Google and Apple.
Perhaps this is why they also don't implement CT checking in Firefox?
- 2024. január 1-től minden magyarnak jár a 'magyarországi' IP-cím
- Security for your Homeserver
- We updated our RSA SSH host key
-
Can authenticated internet-facing web app be discovered if not indexed by search engines?
My main source is Certificate Transparency, which is kind of a database of TLS certs created so far. But use external tools like Subfinder or Amass.
-
Evidence regarding Ristonia/Windias "FBI seizures"
Certificates signed by reputable Certificate Authorities (CA's) are publicly logged by projects like googles certificate transparency, the EFF's SSL observatory and a few CA's directly, which can be viewed on websites like https://crt.sh/ and https://ui.ctsearch.entrust.com/. We will use screenshots of the latter service for readability, but you can verify the same information on the first service as well.
-
I make the same mistake too, sometimes.
The one saving grace is that Certificate Transparency makes it so that false issuances are logged. CT is now required by the big 3 browser vendors. CAs caught wrongly issuing certs without good explanation have their CA cert(s) removed or revoked. (Though sometimes more slowly than I'd like.)
-
Does signal have web based interface?
I'm not sure what you're talking about. I imagine you mean certificate transparency. Certificate transparency is not available on all browsers (FF doesn't support it), and only enables detectong issuance of malicious certificates/misbehaving CAs, but does not prevent the certificate being from being actually used. This means that a compromised CA could still issue malicious certificates and use them to attack many people before anyone notices it and the malicious certificates are revoked.
What are some alternatives?
Arduino - ESP8266 core for Arduino
mod_md - Let's Encrypt (ACME) in Apache httpd
Floorp - The most of source code of version 10 or later of Floorp Browser, the most Advanced and Fastest Firefox derivative 🦊
subfinder - Fast passive subdomain enumeration tool.
zlint - X.509 Certificate Linter focused on Web PKI standards and requirements.
libsqlfs - a library that implements a POSIX style filesystem on top of an SQLite database
Caddy - Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS
github-keygen - Easy creation of secure SSH configuration for your GitHub account(s)
ssh
did-core - W3C Decentralized Identifier Specification v1.0
idb - IndexedDB, but with promises
trillian-examples - A place to store some examples which use Trillian APIs to build things.