I learned today about this new thing Certificate Transparency. It's still too early to form an opinion. I've always been a non-supporter of HTTPS strictly due to it's dependence on centralized CA's, regardless of it's benefits and importance. DANE without DNSSEC (I believe) is the true solution, but I digress.
At first glance my overall problem with RFC 6962 is it's strong connection and (current) dependence on Google. The software to run a CTFE is published by Google (even if it's open source), that's a problem. I'm sure with time there will be more implementations, but that won't change the fact that this entire design (just like HTTP2) is of Google's creation. Recent versions of Firefox will (out of the box) not let you connect to a website without first displaying an error message unless your website uses a certificate issued by an approved central authority (that's not new), and that certificate has been 'blessed' by (pretty much) Google's software and protocol (that's the new part).
I think at this point we can make the deceleration that Google owns the Internet and is the gatekeeper of information (something we feared Microsoft would become).
The more optimistic side of me sees this as a possible a move away from centralized CA's to something slightly less centralized, but still centralized. CT in it's current form, the web browser maintains a compiled in list of CT log servers. At the end of the day an individual still needs to request permission to run a website, otherwise visitors will be greeted with a misleading error message.
Either way, I'm going to attempt to setup some infrastructure and run my own log server and manually build that into my version of Firefox.
HTTPS everywhere was just the start. It was sold as "security" at the expense of just a little bit of liberty. Now look at where we are. This is a full take over of the web by big tech, and authoritarian censorship.
DANE without DNSSEC. That's the way forward.
At first glance my overall problem with RFC 6962 is it's strong connection and (current) dependence on Google. The software to run a CTFE is published by Google (even if it's open source), that's a problem. I'm sure with time there will be more implementations, but that won't change the fact that this entire design (just like HTTP2) is of Google's creation. Recent versions of Firefox will (out of the box) not let you connect to a website without first displaying an error message unless your website uses a certificate issued by an approved central authority (that's not new), and that certificate has been 'blessed' by (pretty much) Google's software and protocol (that's the new part).
I think at this point we can make the deceleration that Google owns the Internet and is the gatekeeper of information (something we feared Microsoft would become).
The more optimistic side of me sees this as a possible a move away from centralized CA's to something slightly less centralized, but still centralized. CT in it's current form, the web browser maintains a compiled in list of CT log servers. At the end of the day an individual still needs to request permission to run a website, otherwise visitors will be greeted with a misleading error message.
Either way, I'm going to attempt to setup some infrastructure and run my own log server and manually build that into my version of Firefox.
HTTPS everywhere was just the start. It was sold as "security" at the expense of just a little bit of liberty. Now look at where we are. This is a full take over of the web by big tech, and authoritarian censorship.
DANE without DNSSEC. That's the way forward.