ctlog

Jan 1, 0001

Definition

Certificate Transparency Log (ctlog) is a publicly accessible, append-only log of digital certificates issued by Certificate Authorities (CAs). It is designed to detect and prevent the issuance of fraudulent or misused certificates by providing a mechanism for monitoring and auditing certificates. This system enhances the security of the Public Key Infrastructure (PKI) by allowing domain owners and other stakeholders to verify that certificates have been properly issued.

Secure Settings Example

{
  "ctlog": {
    "enabled": true,
    "log_servers": [
      "https://ct.googleapis.com/logs/argon2023",
      "https://ct.cloudflare.com/logs/nimbus2023"
    ],
    "min_inclusion": 2
  }
}

This configuration ensures that Certificate Transparency is enabled, specifies trusted log servers, and requires a minimum of two log entries for redundancy and verification.

Insecure Settings Example

{
  "ctlog": {
    "enabled": false,
    "log_servers": [],
    "min_inclusion": 0
  }
}

Disabling Certificate Transparency and not specifying any log servers or minimum inclusion undermines the security benefits of monitoring and auditing certificates, increasing the risk of undetected fraudulent certificates.

ctlog

Definition

Secure Settings Example

Insecure Settings Example

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter