sunlight

A Certificate Transparency log implementation and monitoring API designed for scalability, ease of operation, and reduced cost. (by FiloSottile)
Review certificate-transparency Tlog
Source Code
sunlight.dev
sunlight Reviews
Suggest alternative
Edit details
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured

Sunlight Alternatives

Similar projects and alternatives to sunlight

FiloSottile
sunlight

  1. SponsorBlock

    924 sunlight VS SponsorBlock

    Skip YouTube video sponsors (browser extension)

  2. Stream

    Stream - Scalable APIs for Chat, Feeds, Moderation, & Video. Stream helps developers build engaging apps that scale to millions with performant and flexible Chat, Feeds, Moderation, and Video APIs and SDKs powered by a global edge network and enterprise-grade infrastructure.

    Stream logo

  3. C2SP

    19 sunlight VS C2SP

    Community Cryptography Specification Project

  4. sigsum

    4 sunlight VS sigsum

    Mirror only. Official repository is at https://git.glasklar.is/sigsum/project/documentation

  5. sb-mirror

    6 sunlight VS sb-mirror

    Docker containers to mirror the SponsorBlock database + API

  6. compact_log

    5 sunlight VS compact_log

    A tri-API Certificate Transparency (CT) log implementation. CompactLog serves the same Merkle tree through the RFC6962 Certificate Transparency API, the pages extension draft (https://datatracker.ietf.org/doc/html/draft-trans-pages) and Static CT API while delivering exceptional performance.

  7. quickspec

    2 sunlight VS quickspec

    Equational laws for free

  8. echidna

    33 sunlight VS echidna

    Ethereum smart contract fuzzer

  9. InfluxDB

    InfluxDB – Built for High-Performance Time Series Workloads. InfluxDB 3 OSS is now GA. Transform, enrich, and act on time series data directly in the database. Automate critical tasks and eliminate the need to move data externally. Download now.

    InfluxDB logo
NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a better sunlight alternative or higher similarity.
Suggest an alternative to sunlight

sunlight discussion

Log in or Post with

sunlight reviews and mentions

Posts with mentions or reviews of sunlight. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2025-07-07.
  • You Should Run a Certificate Transparency Log
    4 projects | news.ycombinator.com | 7 Jul 2025
    Meanwhile this implementation does user agent based rate limiting

    https://github.com/FiloSottile/sunlight/blob/11a172fc8e54d90...

    Doesn’t validate the seed they use for cryptographic operations https://github.com/FiloSottile/sunlight/blob/main/cmd/sunlig...

    And the author forwards private security reports to public mailing lists for dismissal

  • A Certificate Transparency log implementation
    1 project | news.ycombinator.com | 7 Jul 2025
  • Google says "not a security issue", quickly fixes without attribution
    3 projects | news.ycombinator.com | 4 Jul 2025
    First of all, the project in question (Sunlight) is not a Google project and its author (Filippo) is not employed by Google.

    Here's what actually happened:

    2025-07-01 19:01 UTC: I suggest making some changes to Sunlight to improve usability of key generation and mitigate a potential misconfiguration risk with keys: https://github.com/FiloSottile/sunlight/issues/35#issue-3193...

    2025-07-01 20:08 UTC: Filippo agrees with my suggestions: https://github.com/FiloSottile/sunlight/issues/35#issuecomme...

    2025-07-02 12:20 UTC: OP emails Filippo claiming to have found a vulnerability in Sunlight

    2025-07-02 13:03 UTC: Filippo replies to OP explaining why this is not a vulnerability (an assessment which I agree with entirely): https://groups.google.com/a/chromium.org/g/ct-policy/c/qboz9...

    2025-07-02 16:41 UTC: Filippo implements my suggestions

    I don't know if it's a coincidence that OP emailed Filippo in the 20 hours between Filippo agreeing with my suggestions and implementing my suggestions, or if OP saw my suggestions in the Sunlight issue tracker and decided to make a mountain out of a molehill. Either way - the changes were always going to happen regardless of OP. Nobody else thinks this is a security vulnerability.

  • Tell HN: Google says "not vuln" fixes hours later without attribution
    1 project | news.ycombinator.com | 3 Jul 2025
    This compromises every certificate the log ever signed - past, present, and future.

    I reported security vulnerabilities in Certificate Transparency infrastructure that Google Chrome trusts. They dismissed them as "not vulnerabilities," made my private report public without consent, then silently implemented my fixes hours later.

    The discovery:

    While benchmarking, I used echo " " > seed.bin (32 spaces). Sunlight accepted this and generated valid but predictable private keys for a CT log. No warnings, no errors.

    Why this matters:

    1. Operator correctly runs: cat /dev/urandom > seed.bin

    2. Filesystem corruption fills seed with nulls/spaces (happens in production)

    3. Sunlight silently generates predictable keys from corrupted seed

    4. CT log operates "normally" - valid signatures, no errors

    5. Anyone knowing about corruption can recreate the private keys

    Without checksums, even perfect operators get silently compromised. This is PKI infrastructure that protects HTTPS certificates.

    This isn't hypothetical - filesystem corruption is common in production systems. Power failures, kernel panics and storage failures regulary cause partial writes and null bytes.

    Google's response:

    - "Not a vulnerability": https://groups.google.com/a/chromium.org/g/ct-policy/c/qboz9s8b9j8/m/B6JXa2q1BAAJ

    - Published my private security report without consent

    - Implemented my exact fixes hours later

      - https://github.com/FiloSottile/sunlight/commit/f62f9084016c4c377d3855471720d7d0cdea3663
  • Tell HN: Google banned me for reporting CT vulns they fixed hours later
    1 project | news.ycombinator.com | 3 Jul 2025
  • Sunlight, a Certificate Transparency log implementation
    5 projects | news.ycombinator.com | 15 Mar 2024
    This is one of the projects I've been most excited about in the last few years. It let me backport to Certificate Transparency a lot of the modern transparency logging designs that came after it.

    Beyond the Let's Encrypt announcement and the ct-policy thread (which includes a technical and advantages summary), here are a few resources that might be interesting.

    - Design document https://filippo.io/a-different-CT-log

    - Implementation https://github.com/FiloSottile/sunlight

    - API specification https://c2sp.org/sunlight

    - Website, including test logs and feedback channels https://sunlight.dev/

    If you’re thinking “oh we could use something similar” please reach out! Sunlight is retrofitting some of the modern tlog designs on a legacy system. With a greenfield deployment you can do even better! I’m working with the Sigsum project on specs, tooling, and a support ecosystem to make deploying tlogs easier and safer.

  • A note from our sponsor - SaaSHub
    www.saashub.com | 18 Jul 2025
    SaaSHub helps you find the best software and product alternatives Learn more →

Stats

Basic sunlight repo stats
10
242
9.0
4 days ago

FiloSottile/sunlight is an open source project licensed under ISC License which is an OSI approved license.

The primary programming language of sunlight is Go.

Popular Comparisons

  1. sunlight VS sigsum
  2. sunlight VS quickspec
  3. sunlight VS echidna
  4. sunlight VS C2SP
  5. sunlight VS compact_log

Sponsored
Stream - Scalable APIs for Chat, Feeds, Moderation, & Video.
Stream helps developers build engaging apps that scale to millions with performant and flexible Chat, Feeds, Moderation, and Video APIs and SDKs powered by a global edge network and enterprise-grade infrastructure.
getstream.io
Loading...