441:
36:
340:, certificate transparency logs can grow to contain many certificates. This large quantity of certificates can cause strain on logs. Temporal sharding is a method to reduce the strain on logs by sharding a log into multiple logs, and having each shard only accept precertificates and certificates with an expiration date in a particular time period (usually a calendar year).
731:
Ah, Certificate
Transparency (CT). CT solves the problem I just described by making all certificates public and easy to audit. When CAs issue certificates, they must submit certificates to at least two "public logs." This means that collectively, the logs carry important data about all trusted
406:
Monitors act as clients to the log servers. Monitors check logs to make sure they are behaving correctly. An inconsistency is used to prove that a log has not behaved correctly, and the signatures on the log's data structure (the Merkle tree) prevent the log from denying that misbehavior.
107:(CA), will issue a certificate for the website that the user's browser can validate. The security of encrypted internet traffic depends on the trust that certificates are only given out by the certificate authority and that the certificate authority has not been compromised.
558:
In
February 2022, Google published an update to their CT policy, which removes the requirement for certificates to include a SCT from their own CT log service, matching all the requirements for certificates to those previously published by Apple.
747:
Scheitle, Quirin; Gasser, Oliver; Nolte, Theodor; Amann, Johanna; Brent, Lexi; Carle, Georg; Holz, Ralph; Schmidt, Thomas C.; Wählisch, Matthias (2018-10-31). "The Rise of
Certificate Transparency and Its Implications on the Internet Ecosystem".
361:. An issued certificate not logged using Certificate Transparency may never be spotted at all. Certificate Transparency makes it possible for the domain owner (and anyone interested) to get in knowledge of any certificate issued for a domain.
431:
Certificate
Transparency logs maintain their own root stores and only accept certificates that chain back to the trusted roots. A number of misbehaving logs have been publishing inconsistent root stores in the past.
1024:
Tomescu, Alin; Bhupatiraju, Vivek; Papadopoulos, Dimitrios; Papamanthou, Charalampos; Triandopoulos, Nikos; Devadas, Srinivas (2019-11-06). "Transparency Logs via Append-Only
Authenticated Dictionaries".
103:. When an internet user interacts with a website, a trusted third party is needed for assurance that the website is legitimate and that the website's encryption key is valid. This third party, called a
1310:
519:
from June 1, 2016, after they were found to have issued 187 certificates without the domain owners' knowledge. Since April 2018, this requirement has been extended to all certificates.
415:
Auditors also act as clients to the log servers. Certificate
Transparency auditors use partial information about a log to verify the log against other partial information they have.
237:(TLS) certificates to have proof of being logged with certificate transparency, either through SCTs embedded into the certificate, an extension during the TLS handshake, or through
369:
Domain names that are used on internal networks and have certificates issued by certificate authorities become publicly searchable as their certificates are added to CT logs.
169:(MMD). At some point within the maximum merge delay, the log operator adds the certificate to their log. Each entry in a log references the hash of a previous one, forming a
460:, demonstrating existing flaws in the certificate authority ecosystem and prompting work on various mechanisms to prevent or monitor unauthorized certificate issuance.
551:"Certificate Transparency Version 2.0" was published. Version 2.0 includes major changes to the required structure of the log certificate, as well as support for
540:
launched its own CT log called Oak. Since
February 2020, it is included in approved log lists and is usable by all publicly-trusted certificate authorities.
1372:
708:
217:
Finally, a CA may decide to log the final certificate as well. Let's
Encrypt E1 CA, for example, logs both precertificates and final certificates (see CA
1322:
385:
Verify that each submitted certificate or precertificate has a valid signature chain leading back to a trusted root certificate authority certificate.
54:
1817:
1296:
1264:
1693:
193:
An applicant, "The natural person or Legal Entity that applies for (or seeks renewal of ) a
Certificate", requests a certificate from a CA.
1638:
1242:
1644:
357:
One of the problems with digital certificate management is that fraudulent certificates take a long time to be spotted, reported and
377:
Certificate
Transparency depends on verifiable Certificate Transparency logs. A log appends new certificates to an ever-growing
1788:
1632:
1044:
767:
1292:
567:
In Certificate Transparency Version 2.0, a log must use one of the algorithms in the IANA registry "Signature Algorithms".
893:
2089:
1910:
1475:
1068:
2114:
1726:
1345:
1163:
2124:
1832:
1620:
1591:
72:
2053:
457:
1745:
1198:
948:
512:
122:
1467:
475:
for detecting mis-issued certificates the same year. In 2012, they submitted the first draft of the standard to
2058:
1655:
1364:
718:
914:
This applies for certificates issued on or after 15 April 2022. For older certificates, other criteria apply.
189:
Although anyone can submit a certificate to a CT log, this task is commonly carried out by a CA as follows:
114:, giving website owners and auditors the ability to detect and expose inappropriately issued certificates.
1870:
1840:
1739:
440:
1850:
1720:
1000:
839:
200:, a certificate which carries a poison extension signalling that it shouldn't be accepted by user agents.
121:
became compromised and started issuing malicious certificates. Google Engineers submitted a draft to the
924:
2119:
2031:
1794:
623:
555:
as a signature algorithm of SCTs and support for including certificate inclusion proofs with the SCT.
1890:
1822:
1761:
1418:
391:
Store the entire verification chain from the newly accepted certificate back to the root certificate.
337:
1148:
2011:
1974:
1614:
1600:
234:
1287:
865:
50:
1772:
1756:
1661:
1394:
1190:
158:
138:
17:
165:(SCTs), which is a promise from a log operator to include the certificate in their log within a
1751:
1715:
1626:
590:
398:
A log may accept certificates that are not yet fully valid and certificates that have expired.
358:
264:
423:
Apple and Google have separate log programs with distinct policies and lists of trusted logs.
2078:
1979:
1699:
1584:
534:
501:
104:
1164:"Another fraudulent certificate raises the same old questions about certificate authorities"
1554:
1265:"Certificate Transparency Required for EV Certificates to Show Green Address Bar in Chrome"
690:
469:
307:
100:
8:
840:"Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates"
1995:
1710:
1136:
1122:
1050:
773:
472:
111:
141:, allowing efficient identification of mistakenly or maliciously issued certificates.
1946:
1672:
1218:
1040:
1027:
Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security
763:
117:
Work on Certificate Transparency first began in 2011 after the certificate authority
96:
93:
1311:"Symantec Certificate Transparency (CT) for certificates issued before June 1, 2016"
1054:
777:
1951:
1767:
1705:
1577:
1538:
1530:
1030:
794:
753:
680:
644:
614:
544:
537:
515:. It began requiring Certificate Transparency for all certificates newly issued by
486:
126:
1677:
1495:
1542:
1534:
693:
674:
548:
490:
130:
1395:"Introducing Oak, a Free and Open Certificate Transparency Log - Let's Encrypt"
1318:
618:
516:
110:
Certificate Transparency makes public all issued certificates in the form of a
221:
under 'issued certificates' section), whereas Google GTS CA 2A1 does not (see
161:. Certificates that support certificate transparency must include one or more
2108:
1732:
1667:
508:
260:
1559:
1523:
1035:
758:
628:
2026:
1800:
1442:
1168:
1092:
972:
449:
1023:
378:
178:
170:
154:
150:
818:
482:
In March 2013, Google launched its first certificate transparency log.
2073:
713:
609:
523:
465:
341:
2068:
1880:
1845:
685:
453:
118:
1885:
1875:
1860:
1272:
1127:
1116:
595:
497:
493:"Certificate Transparency" was published, based on the 2012 draft.
213:
extension to the final certificate and provide it to the applicant.
134:
1119:
Characterizing the root landscape of Certificate Transparency logs
388:
Refuse to publish certificates without this valid signature chain.
1925:
1920:
1905:
1895:
600:
585:
552:
344:'s Nimbus series of logs was the first to use temporal sharding.
294:
336:
Due to the large quantities of certificates issued with the Web
2083:
2036:
2016:
1915:
1900:
1865:
1537:
Certificate Transparency Version 2.0 (which obsoleted previous
461:
426:
153:
certificate logs. Logs are operated by many parties, including
1569:
222:
218:
2063:
2021:
1855:
1650:
1564:
1288:"Updated Certificate Transparency + Extended Validation plan"
605:
576:
210:
149:
The certificate transparency system consists of a system of
476:
238:
1356:
511:
began requiring Certificate Transparency for newly issued
444:
An example of Certificate Transparency entry on Firefox 89
1189:
Laurie, Ben; Langley, Adam; Kasper, Emilia (2012-09-12).
632:
746:
700:
418:
894:"Certificate Transparency Enforcement in Google Chrome"
750:
Proceedings of the Internet Measurement Conference 2018
1191:"Certificate Transparency (draft-laurie-pki-sunlight)"
320:
Duration > 180 days: 3 SCTs from once-approved logs
277:
Duration > 180 days: 3 SCTs from once-approved logs
137:
to record all certificates issued by publicly trusted
1243:"DigiCert Announces Certificate Transparency Support"
228:
410:
401:
1188:
1069:"Scaling CT Logs: Temporal Sharding | DigiCert.com"
317:
Duration ≤ 180 days: 2 SCTs from once-approved logs
274:
Duration ≤ 180 days: 2 SCTs from once-approved logs
45:
may be too technical for most readers to understand
1548:
1029:. London United Kingdom: ACM. pp. 1299–1316.
468:, Adam Langley and Emilia Kasper began work on an
1365:"Introducing Certificate Transparency and Nimbus"
709:"Introducing Certificate Transparency Monitoring"
581:
448:In 2011, a reseller of the certificate authority
2106:
995:
993:
866:"Certificate Transparency: FAQs | DigiCert Blog"
381:. To be seen as behaving correctly, a log must:
372:
1615:Transport Layer Security / Secure Sockets Layer
949:"Certificate Transparency - Web security | MDN"
570:
1551:, a Certificate Transparency Log search engine
1117:Korzhitskii, Nikita; Carlsson, Niklas (2020).
1093:"Apple's Certificate Transparency log program"
795:"How CT Works : Certificate Transparency"
742:
740:
1818:Export of cryptography from the United States
1585:
990:
394:Present this chain for auditing upon request.
125:(IETF) in 2012. This effort resulted in IETF
27:System of public logs of digital certificates
1694:Automated Certificate Management Environment
789:
787:
427:Root stores of Certificate Transparency logs
99:for monitoring and auditing the issuance of
1560:Certificate Transparency Monitoring by Meta
891:
832:
737:
452:was attacked and the certificate authority
209:CA attaches SCTs collected from logs as an
1639:DNS-based Authentication of Named Entities
1592:
1578:
1496:"Monitors : Certificate Transparency"
1645:DNS Certification Authority Authorization
1443:"Apple's Certificate Transparency Policy"
1346:"Sustaining Digital Certificate Security"
1262:
1211:
1126:
1034:
973:"Apple's Certificate Transparency policy"
784:
757:
684:
669:
667:
665:
663:
661:
659:
177:(STH) references the current root of the
133:, a standard defining a system of public
73:Learn how and when to remove this message
57:, without removing the technical details.
1362:
925:"Chrome Certificate Transparency Policy"
752:. Boston MA USA: ACM. pp. 343–349.
439:
255:Current OCSP/TLS extension requirements
206:Logs return corresponding SCTs to the CA
1219:"Known Logs - Certificate Transparency"
811:
706:
617:Certificate Transparency Monitoring by
562:
504:to implement Certificate Transparency.
14:
2107:
1789:Domain Name System Security Extensions
1633:Application-Layer Protocol Negotiation
1555:Google Certificate Transparency Report
1343:
1285:
1263:Woodfield, Meggie (December 5, 2014).
1161:
656:
624:Certificate Transparency Root Explorer
325:Two SCTs from currently approved logs
1573:
419:Certificate Transparency log programs
314:One SCT from a currently approved log
271:One SCT from a currently approved log
144:
55:make it understandable to non-experts
887:
885:
863:
819:"Certificate Transparency (CT) Logs"
676:Certificate Transparency Version 2.0
184:
29:
287:1 SCT from a current non-Google log
203:CA sends the precertificate to logs
24:
1727:Online Certificate Status Protocol
1375:from the original on 23 March 2018
892:O'Brien, Devon (7 February 2018).
229:Mandatory certificate transparency
25:
2136:
1621:Datagram Transport Layer Security
1515:
1344:Sleevi, Ryan (October 28, 2015).
1162:Bright, Peter (August 30, 2011).
882:
479:under the code-name "Sunlight".
411:Certificate Transparency auditors
402:Certificate Transparency monitors
2054:Certificate authority compromise
1363:Sullivan, Nick (23 March 2018).
1299:from the original on 2014-03-30.
1286:Laurie, Ben (February 4, 2014).
513:Extended Validation Certificates
34:
2059:Random number generator attacks
1746:Extended Validation Certificate
1599:
1488:
1460:
1435:
1411:
1387:
1337:
1303:
1279:
1256:
1235:
1182:
1155:
1110:
1085:
1061:
1017:
965:
941:
917:
526:announced its own CT log named
364:
331:
284:1 SCT from a current Google log
123:Internet Engineering Task Force
1656:HTTP Strict Transport Security
1321:. June 9, 2016. Archived from
908:
857:
707:Solomon, Ben (8 August 2019).
13:
1:
732:certificates on the Internet.
650:
373:Certificate Transparency logs
352:
347:
163:signed certificate timestamps
1740:Domain-validated certificate
1500:certificate.transparency.dev
1223:certificate-transparency.org
799:certificate.transparency.dev
571:Tools for inspecting CT logs
7:
1721:Certificate revocation list
864:Call, Ashley (2015-06-03).
638:
10:
2141:
1795:Internet Protocol Security
1608:Protocols and technologies
1472:Public Notary Transparency
1245:. Dark Reading. 2013-09-24
435:
2115:Public key infrastructure
2046:
2004:
1988:
1967:
1960:
1934:
1831:
1823:Server-Gated Cryptography
1810:
1781:
1762:Public key infrastructure
1687:Public-key infrastructure
1686:
1607:
1419:"Google CT Policy Update"
1315:Symantec Knowledge Center
252:Current SCT requirements
2125:Transport Layer Security
1975:Man-in-the-middle attack
1942:Certificate Transparency
235:Transport Layer Security
86:Certificate Transparency
2086:(in regards to TLS 1.0)
2039:(in regards to SSL 3.0)
1773:Self-signed certificate
1757:Public-key cryptography
1678:Perfect forward secrecy
1662:HTTP Public Key Pinning
1036:10.1145/3319535.3345652
929:CertificateTransparency
759:10.1145/3278532.3278562
596:Cert Spotter by sslmate
159:certificate authorities
139:certificate authorities
2090:Kazakhstan MITM attack
1752:Public key certificate
1716:Certificate revocation
1627:Server Name Indication
1468:"Signature Algorithms"
1005:googlechrome.github.io
1001:"Chrome CT Log Policy"
445:
233:Some browsers require
2079:Lucky Thirteen attack
1980:Padding oracle attack
1700:Certificate authority
1565:CT test on badssl.com
953:developer.mozilla.org
601:certstream.calidog.io
535:certificate authority
502:certificate authority
443:
105:certificate authority
1350:Google Security Blog
563:Signature Algorithms
196:CA issues a special
101:digital certificates
522:On March 23, 2018,
496:In September 2013,
245:
223:crt.sh profile page
219:crt.sh profile page
167:maximum merge delay
1996:Bar mitzvah attack
1711:Certificate policy
1325:on October 5, 2016
543:In December 2021,
446:
244:
145:Technical overview
112:distributed ledger
2120:Internet security
2102:
2101:
2098:
2097:
1673:Opportunistic TLS
1447:support.apple.com
1099:. 28 January 2019
1046:978-1-4503-6747-9
769:978-1-4503-5619-0
679:. December 2021.
608:- Merkle Town by
606:ct.cloudflare.com
500:became the first
329:
328:
185:Logging procedure
94:Internet security
83:
82:
75:
16:(Redirected from
2132:
1965:
1964:
1952:HTTPS Everywhere
1768:Root certificate
1706:CA/Browser Forum
1594:
1587:
1580:
1571:
1570:
1527:
1526:
1524:Official website
1510:
1509:
1507:
1506:
1492:
1486:
1485:
1483:
1482:
1464:
1458:
1457:
1455:
1454:
1439:
1433:
1432:
1430:
1429:
1415:
1409:
1408:
1406:
1405:
1391:
1385:
1384:
1382:
1380:
1360:
1354:
1353:
1341:
1335:
1334:
1332:
1330:
1307:
1301:
1300:
1295:(Mailing list).
1283:
1277:
1276:
1260:
1254:
1253:
1251:
1250:
1239:
1233:
1232:
1230:
1229:
1215:
1209:
1208:
1206:
1205:
1186:
1180:
1179:
1177:
1176:
1159:
1153:
1152:
1146:
1142:
1140:
1132:
1130:
1114:
1108:
1107:
1105:
1104:
1089:
1083:
1082:
1080:
1079:
1073:www.digicert.com
1065:
1059:
1058:
1038:
1021:
1015:
1014:
1012:
1011:
997:
988:
987:
985:
984:
969:
963:
962:
960:
959:
945:
939:
938:
936:
935:
921:
915:
912:
906:
905:
903:
901:
889:
880:
879:
877:
876:
861:
855:
854:
852:
850:
844:
836:
830:
829:
827:
826:
815:
809:
808:
806:
805:
791:
782:
781:
761:
744:
735:
734:
728:
726:
721:on 8 August 2019
717:. Archived from
704:
698:
697:
688:
686:10.17487/RFC9162
671:
645:Key Transparency
379:Merkle hash tree
246:
243:
175:signed tree head
78:
71:
67:
64:
58:
38:
37:
30:
21:
2140:
2139:
2135:
2134:
2133:
2131:
2130:
2129:
2105:
2104:
2103:
2094:
2042:
2000:
1984:
1961:Vulnerabilities
1956:
1930:
1833:Implementations
1827:
1806:
1777:
1682:
1603:
1598:
1522:
1521:
1518:
1513:
1504:
1502:
1494:
1493:
1489:
1480:
1478:
1466:
1465:
1461:
1452:
1450:
1441:
1440:
1436:
1427:
1425:
1417:
1416:
1412:
1403:
1401:
1399:letsencrypt.org
1393:
1392:
1388:
1378:
1376:
1361:
1357:
1342:
1338:
1328:
1326:
1309:
1308:
1304:
1284:
1280:
1261:
1257:
1248:
1246:
1241:
1240:
1236:
1227:
1225:
1217:
1216:
1212:
1203:
1201:
1187:
1183:
1174:
1172:
1160:
1156:
1144:
1143:
1134:
1133:
1115:
1111:
1102:
1100:
1091:
1090:
1086:
1077:
1075:
1067:
1066:
1062:
1047:
1022:
1018:
1009:
1007:
999:
998:
991:
982:
980:
971:
970:
966:
957:
955:
947:
946:
942:
933:
931:
923:
922:
918:
913:
909:
899:
897:
896:. Google Groups
890:
883:
874:
872:
862:
858:
848:
846:
842:
838:
837:
833:
824:
822:
821:. Let's Encrypt
817:
816:
812:
803:
801:
793:
792:
785:
770:
745:
738:
724:
722:
705:
701:
673:
672:
657:
653:
641:
573:
565:
438:
429:
421:
413:
404:
375:
367:
355:
350:
334:
231:
187:
147:
79:
68:
62:
59:
51:help improve it
48:
39:
35:
28:
23:
22:
15:
12:
11:
5:
2138:
2128:
2127:
2122:
2117:
2100:
2099:
2096:
2095:
2093:
2092:
2087:
2081:
2076:
2071:
2066:
2061:
2056:
2050:
2048:
2047:Implementation
2044:
2043:
2041:
2040:
2034:
2029:
2024:
2019:
2014:
2008:
2006:
2002:
2001:
1999:
1998:
1992:
1990:
1986:
1985:
1983:
1982:
1977:
1971:
1969:
1962:
1958:
1957:
1955:
1954:
1949:
1944:
1938:
1936:
1932:
1931:
1929:
1928:
1923:
1918:
1913:
1908:
1903:
1898:
1893:
1888:
1883:
1878:
1873:
1868:
1863:
1858:
1853:
1848:
1843:
1837:
1835:
1829:
1828:
1826:
1825:
1820:
1814:
1812:
1808:
1807:
1805:
1804:
1798:
1792:
1785:
1783:
1779:
1778:
1776:
1775:
1770:
1765:
1759:
1754:
1749:
1743:
1737:
1736:
1735:
1730:
1724:
1713:
1708:
1703:
1697:
1690:
1688:
1684:
1683:
1681:
1680:
1675:
1670:
1665:
1659:
1653:
1648:
1642:
1636:
1630:
1624:
1618:
1611:
1609:
1605:
1604:
1597:
1596:
1589:
1582:
1574:
1568:
1567:
1562:
1557:
1552:
1546:
1528:
1517:
1516:External links
1514:
1512:
1511:
1487:
1459:
1449:. 5 March 2021
1434:
1410:
1386:
1369:cloudflare.com
1355:
1336:
1302:
1278:
1255:
1234:
1210:
1181:
1154:
1109:
1084:
1060:
1045:
1016:
989:
979:. 5 March 2021
964:
940:
916:
907:
881:
856:
831:
810:
783:
768:
736:
699:
654:
652:
649:
648:
647:
640:
637:
636:
635:
626:
621:
612:
603:
598:
593:
588:
579:
572:
569:
564:
561:
485:In June 2013,
437:
434:
428:
425:
420:
417:
412:
409:
403:
400:
396:
395:
392:
389:
386:
374:
371:
366:
363:
354:
351:
349:
346:
333:
330:
327:
326:
323:
322:
321:
318:
315:
310:
304:
303:
300:
297:
291:
290:
289:
288:
285:
280:
279:
278:
275:
272:
267:
257:
256:
253:
250:
230:
227:
215:
214:
207:
204:
201:
198:precertificate
194:
186:
183:
146:
143:
81:
80:
42:
40:
33:
26:
9:
6:
4:
3:
2:
2137:
2126:
2123:
2121:
2118:
2116:
2113:
2112:
2110:
2091:
2088:
2085:
2082:
2080:
2077:
2075:
2072:
2070:
2067:
2065:
2062:
2060:
2057:
2055:
2052:
2051:
2049:
2045:
2038:
2035:
2033:
2030:
2028:
2025:
2023:
2020:
2018:
2015:
2013:
2010:
2009:
2007:
2003:
1997:
1994:
1993:
1991:
1987:
1981:
1978:
1976:
1973:
1972:
1970:
1966:
1963:
1959:
1953:
1950:
1948:
1945:
1943:
1940:
1939:
1937:
1933:
1927:
1924:
1922:
1919:
1917:
1914:
1912:
1909:
1907:
1904:
1902:
1899:
1897:
1894:
1892:
1889:
1887:
1884:
1882:
1879:
1877:
1874:
1872:
1869:
1867:
1864:
1862:
1859:
1857:
1854:
1852:
1849:
1847:
1844:
1842:
1841:Bouncy Castle
1839:
1838:
1836:
1834:
1830:
1824:
1821:
1819:
1816:
1815:
1813:
1809:
1802:
1799:
1796:
1793:
1790:
1787:
1786:
1784:
1780:
1774:
1771:
1769:
1766:
1763:
1760:
1758:
1755:
1753:
1750:
1747:
1744:
1741:
1738:
1734:
1733:OCSP stapling
1731:
1728:
1725:
1722:
1719:
1718:
1717:
1714:
1712:
1709:
1707:
1704:
1701:
1698:
1695:
1692:
1691:
1689:
1685:
1679:
1676:
1674:
1671:
1669:
1668:OCSP stapling
1666:
1663:
1660:
1657:
1654:
1652:
1649:
1646:
1643:
1640:
1637:
1634:
1631:
1628:
1625:
1622:
1619:
1616:
1613:
1612:
1610:
1606:
1602:
1595:
1590:
1588:
1583:
1581:
1576:
1575:
1572:
1566:
1563:
1561:
1558:
1556:
1553:
1550:
1547:
1544:
1540:
1536:
1532:
1529:
1525:
1520:
1519:
1501:
1497:
1491:
1477:
1473:
1469:
1463:
1448:
1444:
1438:
1424:
1423:Google Groups
1420:
1414:
1400:
1396:
1390:
1374:
1370:
1366:
1359:
1351:
1347:
1340:
1329:September 22,
1324:
1320:
1316:
1312:
1306:
1298:
1294:
1293:
1289:
1282:
1274:
1270:
1269:DigiCert Blog
1266:
1259:
1244:
1238:
1224:
1220:
1214:
1200:
1196:
1192:
1185:
1171:
1170:
1165:
1158:
1150:
1138:
1129:
1124:
1120:
1113:
1098:
1094:
1088:
1074:
1070:
1064:
1056:
1052:
1048:
1042:
1037:
1032:
1028:
1020:
1006:
1002:
996:
994:
978:
977:Apple Support
974:
968:
954:
950:
944:
930:
926:
920:
911:
895:
888:
886:
871:
867:
860:
841:
835:
820:
814:
800:
796:
790:
788:
779:
775:
771:
765:
760:
755:
751:
743:
741:
733:
720:
716:
715:
710:
703:
695:
692:
687:
682:
678:
677:
670:
668:
666:
664:
662:
660:
655:
646:
643:
642:
634:
630:
627:
625:
622:
620:
616:
613:
611:
607:
604:
602:
599:
597:
594:
592:
591:Censys Search
589:
587:
583:
580:
578:
575:
574:
568:
560:
556:
554:
550:
546:
541:
539:
538:Let's Encrypt
536:
533:In May 2019,
531:
529:
525:
520:
518:
514:
510:
509:Google Chrome
505:
503:
499:
494:
492:
488:
483:
480:
478:
474:
471:
467:
463:
459:
455:
451:
442:
433:
424:
416:
408:
399:
393:
390:
387:
384:
383:
382:
380:
370:
362:
360:
345:
343:
339:
324:
319:
316:
313:
312:
311:
309:
306:
305:
301:
298:
296:
293:
292:
286:
283:
282:
281:
276:
273:
270:
269:
268:
266:
262:
259:
258:
254:
251:
248:
247:
242:
240:
236:
226:
224:
220:
212:
208:
205:
202:
199:
195:
192:
191:
190:
182:
180:
176:
172:
168:
164:
160:
156:
152:
142:
140:
136:
132:
128:
124:
120:
115:
113:
108:
106:
102:
98:
95:
91:
87:
77:
74:
66:
56:
52:
46:
43:This article
41:
32:
31:
19:
1941:
1801:Secure Shell
1503:. Retrieved
1499:
1490:
1479:. Retrieved
1471:
1462:
1451:. Retrieved
1446:
1437:
1426:. Retrieved
1422:
1413:
1402:. Retrieved
1398:
1389:
1377:. Retrieved
1368:
1358:
1349:
1339:
1327:. Retrieved
1323:the original
1314:
1305:
1291:
1281:
1268:
1258:
1247:. Retrieved
1237:
1226:. Retrieved
1222:
1213:
1202:. Retrieved
1194:
1184:
1173:. Retrieved
1169:Ars Technica
1167:
1157:
1118:
1112:
1101:. Retrieved
1096:
1087:
1076:. Retrieved
1072:
1063:
1026:
1019:
1008:. Retrieved
1004:
981:. Retrieved
976:
967:
956:. Retrieved
952:
943:
932:. Retrieved
928:
919:
910:
898:. Retrieved
873:. Retrieved
869:
859:
847:. Retrieved
845:. CA/B Forum
834:
823:. Retrieved
813:
802:. Retrieved
798:
749:
730:
723:. Retrieved
719:the original
712:
702:
675:
566:
557:
542:
532:
527:
521:
506:
495:
484:
481:
447:
430:
422:
414:
405:
397:
376:
368:
365:Side Effects
356:
335:
332:Log sharding
232:
216:
197:
188:
174:
166:
162:
157:vendors and
148:
116:
109:
89:
85:
84:
69:
60:
44:
1947:Convergence
1601:TLS and SSL
1145:|work=
900:18 December
470:open source
458:compromised
179:Merkle tree
171:Merkle tree
151:append-only
63:August 2023
2109:Categories
2074:Heartbleed
1505:2023-03-06
1481:2023-05-28
1453:2022-02-14
1428:2022-02-14
1404:2021-04-13
1249:2018-10-31
1228:2015-12-31
1204:2023-05-28
1175:2018-02-10
1128:2001.04319
1103:2021-10-14
1078:2022-02-26
1010:2021-10-14
983:2022-02-26
958:2022-02-26
934:2022-02-26
875:2021-04-13
825:2024-01-04
804:2022-02-25
714:Cloudflare
651:References
610:Cloudflare
524:Cloudflare
466:Ben Laurie
464:employees
353:Advantages
348:Background
342:Cloudflare
2069:goto fail
1881:MatrixSSL
1846:BoringSSL
1617:(TLS/SSL)
1147:ignored (
1137:cite book
1097:apple.com
849:4 January
629:EZMonitor
577:Merklemap
507:In 2015,
473:framework
454:DigiNotar
119:DigiNotar
2005:Protocol
1935:Notaries
1911:SChannel
1886:mbed TLS
1876:LibreSSL
1861:cryptlib
1791:(DNSSEC)
1782:See also
1379:9 August
1373:Archived
1319:Symantec
1297:Archived
1273:DigiCert
1195:ietf.org
1055:52034337
870:DigiCert
778:52814744
725:9 August
639:See also
517:Symantec
498:DigiCert
265:Chromium
249:Browser
97:standard
92:) is an
1926:wolfSSL
1921:stunnel
1906:s2n-tls
1896:OpenSSL
1811:History
1797:(IPsec)
586:Sectigo
553:Ed25519
436:History
359:revoked
295:Firefox
155:browser
49:Please
18:CT logs
2084:POODLE
2037:POODLE
2032:Logjam
2017:BREACH
1989:Cipher
1968:Theory
1916:SSLeay
1901:Rustls
1866:GnuTLS
1729:(OCSP)
1696:(ACME)
1664:(HPKP)
1658:(HSTS)
1641:(DANE)
1635:(ALPN)
1623:(DTLS)
1549:crt.sh
1541:
1533:
1053:
1043:
776:
766:
633:Keytos
582:crt.sh
547:
528:Nimbus
489:
462:Google
450:Comodo
308:Safari
261:Chrome
173:. The
129:
2064:FREAK
2027:DROWN
2022:CRIME
2012:BEAST
1856:BSAFE
1851:Botan
1803:(SSH)
1764:(PKI)
1723:(CRL)
1651:HTTPS
1647:(CAA)
1629:(SNI)
1123:arXiv
1051:S2CID
843:(PDF)
774:S2CID
302:None
299:None
211:X.509
1871:JSSE
1748:(EV)
1742:(DV)
1702:(CA)
1543:6962
1535:9162
1476:IANA
1381:2019
1331:2016
1199:IETF
1149:help
1041:ISBN
902:2019
851:2024
764:ISBN
727:2019
694:9162
619:Meta
615:Meta
549:9162
491:6962
477:IETF
456:was
239:OCSP
135:logs
131:9162
1891:NSS
1539:RFC
1531:RFC
1031:doi
754:doi
691:RFC
681:doi
631:by
584:by
545:RFC
487:RFC
338:PKI
225:).
127:RFC
53:to
2111::
1498:.
1474:.
1470:.
1445:.
1421:.
1397:.
1371:.
1367:.
1348:.
1317:.
1313:.
1290:.
1271:.
1267:.
1221:.
1197:.
1193:.
1166:.
1141::
1139:}}
1135:{{
1121:.
1095:.
1071:.
1049:.
1039:.
1003:.
992:^
975:.
951:.
927:.
884:^
868:.
797:.
786:^
772:.
762:.
739:^
729:.
711:.
689:.
658:^
530:.
241::
181:.
90:CT
1593:e
1586:t
1579:v
1545:)
1508:.
1484:.
1456:.
1431:.
1407:.
1383:.
1352:.
1333:.
1275:.
1252:.
1231:.
1207:.
1178:.
1151:)
1131:.
1125::
1106:.
1081:.
1057:.
1033::
1013:.
986:.
961:.
937:.
904:.
878:.
853:.
828:.
807:.
780:.
756::
696:.
683::
263:/
88:(
76:)
70:(
65:)
61:(
47:.
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.