Some notes why I posted this: I was surprised to read in some HN discussions recently that TLS certificate pinning is discouraged and CT log monitoring is promoted as an alternative.
Key pinning has a lot of risks and problems, but I didn't see how CT log monitoring could be a viable alternative: Log monitoring may give you reliable alerts (within 24h granularity and with lots of false positives though) that someone may try to impersonate your domain, but it always seemed pretty nebulous to me what you're then supposed to do with that information - if you're happen to not be Google and can't just push a global update to Chrome to put the certificate and CA on the ban list. (In contrast to key pinning, where you have the means to prevent impersonation, even if those means come with a lot of footguns to be aware of)
I just found out that deprecating key pinning in favour of CT monitoring is indeed Cloudflare's official policy. So I was curious what their reccommended course of action is when a domain owner is notified of a malicious certificate. Turns out, it's "improvise".
So I'd like to know what your best practices would be to deal with such a situation.
Key pinning has a lot of risks and problems, but I didn't see how CT log monitoring could be a viable alternative: Log monitoring may give you reliable alerts (within 24h granularity and with lots of false positives though) that someone may try to impersonate your domain, but it always seemed pretty nebulous to me what you're then supposed to do with that information - if you're happen to not be Google and can't just push a global update to Chrome to put the certificate and CA on the ban list. (In contrast to key pinning, where you have the means to prevent impersonation, even if those means come with a lot of footguns to be aware of)
I just found out that deprecating key pinning in favour of CT monitoring is indeed Cloudflare's official policy. So I was curious what their reccommended course of action is when a domain owner is notified of a malicious certificate. Turns out, it's "improvise".
So I'd like to know what your best practices would be to deal with such a situation.