Good news, the Tuscolo CT logs are now "Qualified" (meaning that some of your certs are/will soon be using our CT log!!) The bad news is that by including our new logs in the well known list of CT logs, some stuff now instantly crashes (seemingly because the array of non "Sunlight" (aka next gen) logs is empty). Impacted things seem to include: 1. 80% of the food delivery app market in Brazil Suboptimal. More info: 1. https://github.com/appmattus/certificatetransparency/issues/143
2. Lots of banks in India
3. Lowes????
4. Basically any app that uses appmattus/certificatetransparency
2. https://github.com/google/certificate-transparency-go/issues/1712
one honk maybe more
hnapel@mastodon.soci..
replied 21 Jun 2025 22:47 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/41C7FVBw1sxFptx23b
benjojo
replied 21 Jun 2025 22:52 +0000
in reply to: https://mastodon.social/users/hnapel/statuses/114723785638873418
waldi@chaos.social
replied 23 Jun 2025 16:14 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/41C7FVBw1sxFptx23b
@benjojo Why do people create app-only stuff and still rely on WebPKI? If you control both sides, you can do whatever you want.
benjojo
replied 23 Jun 2025 18:57 +0000
in reply to: https://chaos.social/users/waldi/statuses/114733563752009004
@waldi I think the intention here is that you are a banking app and you want to ensure that the TLS certificates that the client is getting are valid as well according to CT (this is not a problem on modern android API versions, but old phones exist etc) The other obvious (and maybe this is the real reason) upside to using a lib like this, is that
TLS MITM Proxy for reverse engineering etc no longer works, because no matter if the TLS Cert root is trusted, it will not have a valid SCT inside of it
waldi@chaos.social
replied 23 Jun 2025 19:07 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/4ZXv9XM2381lJD4bQT
@benjojo No. If you control both sides of the application, you have zero need to tap into WebPKI. This is governed by the CA/Browser Forum, and the name provides information about who the stakeholders are; and this does not include you as random app provider. So in all the cases, where the provider even refuses to provide a non-app web interface, you are better with a private CA. And no, SCT checks only work on pre-defined CA, not MITM CA added by hand.
benjojo
replied 23 Jun 2025 19:16 +0000
in reply to: https://chaos.social/users/waldi/statuses/114734243920660626
@waldi From having been on the banking side of this equation, there is often some regulatory pressure to ensure that the CA/PKI you are using is secure to some standard, the most easy thing to comply with this is to just use the WebPKI CAs
benjojo
replied 21 Jun 2025 18:33 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/41C7FVBw1sxFptx23b
tl;dr the applications are seeing in the list of logs json blob this: and ignores the
{
"name": "Geomys",
"email": [
"ct@geomys.org"
],
"logs": [],
"tiled_logs": [
{
"description": "Geomys 'Tuscolo2025h2'",
[etc etc]tiled_logs logs array (because it doesn't support that) and explodes at the empty logs array
benjojo
replied 21 Jun 2025 22:10 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/vD83XN8mxGVMxw5Dsl
All right, well, all of the shareholder value I've ever provided in my career has now been offset by the amount of shareholder value that has been removed via this incident I suppose
inviridi@metalhead.c..
replied 21 Jun 2025 22:14 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/ksf4g2GZQ8d13C3Tf6
benjojo
replied 21 Jun 2025 22:15 +0000
in reply to: https://metalhead.club/users/inviridi/statuses/114723654751367991
@inviridi oh! I'm not necessarily sad about that fact! At the end of the day this incident was entirely beyond my control so I'm not really going to lose too much sleep over it, I am merely linked to it by association of being the 1 hald of the log operator team
kouett@soc.kouett.ne..
replied 21 Jun 2025 22:17 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/3bXd89WCv2tN2g3BS6
womble@infosec.excha..
replied 21 Jun 2025 22:23 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/ksf4g2GZQ8d13C3Tf6
@benjojo remember to account for all the innocent joy I've had watching people get hoisted by a petard very much of their own making.
jeroen@secluded.ch
replied 22 Jun 2025 14:19 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/ksf4g2GZQ8d13C3Tf6
marius@kiessling.soc..
replied 22 Jun 2025 14:57 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/vD83XN8mxGVMxw5Dsl
grawity@social.treeh..
replied 21 Jun 2025 22:08 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/41C7FVBw1sxFptx23b
sedje@fosstodon.org
replied 21 Jun 2025 22:23 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/41C7FVBw1sxFptx23b
growse@hachyderm.io
replied 22 Jun 2025 06:54 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/41C7FVBw1sxFptx23b
@benjojo Oh! It's YOU! I was reading about the android CT kerfuffle and thought "huh, wonder who's doing something new in the CT space" :)
nicoduck@chaos.socia..
replied 22 Jun 2025 11:49 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/41C7FVBw1sxFptx23b
