[squid-users] Certificate transparency: problem for ssl-bumping, no effect, or?

Alex Rousskov rousskov at measurement-factory.com
Tue Nov 1 20:03:21 UTC 2016


On 10/31/2016 04:13 PM, L. A. Walsh wrote:
> Google is pushing this for all websites by October 2017

Just Extended Validation (EV) sites, to be exact AFAICT. All other sites
will be forced into the new scheme sometime later. Naturally, this may
result in requests to downgrade mimicked server certificates to remove
the EV extension (assuming we mimic it today).


>    https://www.certificate-transparency.org/what-is-ct
> 
> Seems to indicate that site-local generated and imported
> certs may also be detected as invalid and be disallowed for
> SSL connection approvals.  That would be a major pain

The question is whether the affected browsers will have knobs to disable
CT checks or perhaps to configure custom Certificate Log addresses. If
everything is hard-coded, then bumping is doomed. Otherwise, expect more
sysadmin pains. You can probably answer that question now by studying
Chrome configuration.

Alex.



More information about the squid-users mailing list