From [1]:<p>> In one case, a prominent Dutch CA (DigiNotar) was compromised and the hackers were able to use the CA’s system to issue fake SSL certificates. The certificates were used to impersonate numerous sites in Iran, such as Gmail and Facebook, which enabled the operators of the fake sites to spy on unsuspecting site users.<p>When this happens as the result of malicious actions (unlike the case FB shows here), what actions can the legitimate site operator do to protect their users from this eavesdropping? Presumably you could contact the CA and get the revocation. But even if the CRL's updated, what is the latency to get the browser's trust store sync'd up? And can't state actors just block CRL updates? Do browsers warn users when the CRL can't be updated (after so many attempts or so much time)?<p>[1] <a href="http://www.certificate-transparency.org/what-is-ct" rel="nofollow">http://www.certificate-transparency.org/what-is-ct</a>
Is there an API for certificate transparency logs? I'd love to have a monitoring system that checks if unauthorized certificates are detected for my domains.
> [A thank you to Let's Encrypt] Let's Encrypt's issuance in this event was technically correct, and thanks to their commitment to best practices like CT, we were able to discover our internal policy violation and take action to prevent these types of issues in the future. The security team at Let's Encrypt responded quickly and helpfully to our inquiries. Facebook continues to support the Let's Encrypt project and we appreciate their assistance with this investigation.<p>I continue to be impressed with the Let's Encrypt team's professionalism in their interactions with everyone in the security community. It makes me happy to see post-mortems like this one where everything went as it should have and the issue was resolved without any breech in security. Really reflects well on Let's Encrypt and Facebook's product security team.