karl's forays into certificate transparency today i found an api server had a different fingerprint than i expected and i didn't know what to do :throwing hands up in air: i dunno what happened. it's hard to consider. i remember when i learned about certificate transparency and it seemed so cool! i guess i'd better learn what it is. [again] websearch : "how to check a certificate using transparency" (i was going to learn thoroughly but impatience influence)
Browse to your website, then click on its URL under "Main origin" (on the left, in the security tab). This will display security information about your website. Towards the bottom, there will be a section titled "Certificate Transparency", which will list the SCTs provided by your website. https://github.com/google/certificate-transparency-community-site/blob/maste...
websearched sct transparency, got to https://certificate.transparency.dev/howctworks/ i had to turn on javascript for the content to not cover itself up SCT -> signed certificate timestamp 1422 :S :S :S :S :S 1425 ok um my browser i don't see SCTs for node2.bundlr.network . it says it is a letsencrypt certificate that was issued mid-march and expires mid-june? both of this year. short-term certificate. i'd expect letsencrypt to participate in certificate transparency BUT my browser is pretty old and may not show the fields. maybe i can find a log and look for certificates for this domain name! 1428 ummmmmmmmmmmmm ok ummmmmmmmmmmmmmmmmmm both of the cert fingerprints are on crt.sh . i dunno if crt.sh is legit it was just some hit from a websearch for ct logs. it seems likely to be legit! the older cert is from cloudfare. it hasn't been revoked. the newer cert is from letsencrypt i guess. it's on fewer logs than the older one. :S both of them expire in june of 2024 1437 so i'm looking at https://crt.sh/?q=bundlr.network and it's confusing, it looks like 4 different certificates for bundlr.network were registered on the same day this march, all for 3 months. meanwhile, one was registered on february that has not yet expired. all via letsencrypt . i dunno whether this means they are handling cert generation issues or if something funny is happening! shouldn't letsencrypt give an explanation in situations like this? (i suppose there is no channel for them to? or i haven't learned about it ;p) 1443 i've sent the link to the site owners. (on discord :S) 1443 1447 we think it has reasonable chance of being nonmalicious. (it looks like ummm multiple entries in the log are sometimes made for a single registration, multiple certificates for the same domain) (and the difference we found was ummm cloudflare vs letsencrypt, which, both have been registered side-by-side for some time, i think) but it has gotten really tense! we are really unsure! karl's being preventedish from engaging much further, from learning about it futrher (probably so xboss can take charge) karl is worried he left tension in the discord of the maintainers, which is sadly being maintained 1449