FAQ about malicious SHA256SUM edits needs clarification

merklecounty / rget

download URLs and verify the contents against a publicly recorded cryptographic log

https://merklecounty.com

Apache License 2.0

205 stars 17 forks source link

FAQ about malicious SHA256SUM edits needs clarification #20

Open mricon opened 5 years ago

mricon commented 5 years ago

The FAQ says that if an attacker edits the checksums file and re-issues a new certificate, it would show up in the CT logs, but it doesn't clarify if rget would alert the user about this situation. Does rget fail in this case, or is there a need for external monitoring to alert maintainers about such situations?

philips commented 5 years ago

There is a need for external auditors and monitoring. For example an interested party might want to subscribe to an RSS feed of all issued certs for their subdomain.

For example crt.sh offers this service:

This sort of external auditing/monitoring by external parties is how the CA infrastructure is kept secure by the Certificate Transparency as well.

philips commented 5 years ago

I think we should add an FAQ on this and also link to some providers of auditing services in the Documentation/integrations.md file.