diff --git a/assets/scss/colors.scss b/assets/scss/colors.scss index 4f7ce6a..5fed2c7 100644 --- a/assets/scss/colors.scss +++ b/assets/scss/colors.scss @@ -46,7 +46,13 @@ $palettes: ( "mid": #D6FFF8, "dark": #00B3B2, "full": #178270 - ) + ), + markdown: ( + "tint": #fafaff, + "mid": #e5e5ff, + "dark": #7575f0, + "full": #3333cc + ), ); @each $page, $colors in $palettes { diff --git a/assets/scss/ct.scss b/assets/scss/ct.scss index 6a6e27d..9f722b2 100644 --- a/assets/scss/ct.scss +++ b/assets/scss/ct.scss @@ -17,3 +17,4 @@ @import 'logtable.scss'; @import 'community.scss'; @import 'actors.scss'; +@import 'markdown.scss'; diff --git a/assets/scss/markdown.scss b/assets/scss/markdown.scss new file mode 100644 index 0000000..f11e1f2 --- /dev/null +++ b/assets/scss/markdown.scss @@ -0,0 +1,116 @@ +.markdown { + margin-bottom: 10rem; + + @include md { + width: 75%; + margin-left: 12.5%; + } + + nav { + ul { + list-style: decimal; + font-family: $font-mono, monospace; + line-height: 1.75rem; + margin-left: 0; + margin-top: 0; + li { + margin-bottom:0; + margin-left: 0; + a { + color: map-get(map-get($palettes, "markdown"), "full"); + } + } + } + } + + .markdown-heading { + margin: 4rem 0 4rem 0; + + h4 { + font-family: $font-mono, monospace; + font-weight: bold; + font-size: 1rem; + margin: 0; + line-height: 1.75rem; + padding-bottom: 0; + } + } + + h1 { + margin: 0 0 2rem; + font-size: 3rem; + letter-spacing: -0.04em; + font-weight: 800; + line-height: 1.1; + + @include sm { + font-size: 2.6rem; + br { + display: none; + } + } + + @include md { + margin: 0 0 1rem; + } + } + + h2 { + font-weight: 600; + line-height: 1; + color: $col-greyish; + line-height: 115%; + letter-spacing: -0.035em; + font-size: 1.6rem; + font-weight: 700; + + @include sm { + margin: 9.5vw 0 4.75vw 0; + // padding: 0 1rem; + padding: 0; + } + @include md { + margin: 3.5rem 0 1rem 0; + } + } + + h3 { + font-weight: 700; + margin: 2rem 0 1rem; + font-size: 1.3rem; + letter-spacing: -0.035em; + line-height: 105%; + color: $col-greyish; + } + + p, li { + margin: 0 0 1rem; + font-family: $font-mono, monospace; + font-size: 0.8rem; + line-height: 1.75; + } +} + +.log-callout { + padding: 10px 12px; + border: 1px solid $col-black; + border-radius: 2px; + margin-bottom: 24px; + background: map-get(map-get($palettes, "markdown"), "tint"); + h4 { + font-weight: 700; + letter-spacing: -0.035em; + margin: 0.5rem 0; + font-size: 1rem; + color: $col-black; + } + p { + font-family: $font-mono, monospace; + font-size: 0.8rem; + margin: 0 0 0; + &:last-child { + margin: 0; + } + } +} + diff --git a/content/markdown/getting-started.md b/content/markdown/getting-started.md new file mode 100644 index 0000000..720a32f --- /dev/null +++ b/content/markdown/getting-started.md @@ -0,0 +1,91 @@ +--- +title: Getting Started +url: /getting-started +layout: markdown +show_table_of_contents: true +--- + +So you want to get on board with Certificate Transparency? The steps you should +take depend on your role. Are you doing so on behalf of a website, certificate +authority (CA) or user agent (e.g. a browser)? + +## Website + +**Most website operators shouldn't need to do anything** - your CA should have +submitted your HTTPS certificate to a suitable number of CT logs and embedded +SCTs in the certificate before giving it to you. However, if you'd like to check +this for yourself, you can do so using Google Chrome. Open Chrome's developer +tools (under "More tools" in the Chrome menu) and switch to the security tab. +Browse to your website, then click on its URL under "Main origin" (on the left, +in the security tab). This will display security information about your website. +Towards the bottom, there will be a section titled "Certificate Transparency", +which will list the SCTs provided by your website. If this section is not +displayed, then your website did not provide any SCTs and is not compliant with +Certificate Transparency. Otherwise, you can compare the listed SCTs with +Chrome's policy to check whether the provided SCTs are sufficient. + +![Show Chrome SCTs](/img/markdown/chrome_scts.png "Chrome SCTs") + +## CA + +A certificate authority can generate pre-certificates and submit them to CT logs +in order to embed [SCTs](https://certificate.transparency.dev/howctworks) in +the certificates they provide to their customers. So long as these SCTs are +compliant with the CT policies of browsers (e.g. +[Chrome's policy](https://github.com/chromium/ct-policy/blob/master/ct_policy.md#qualifying-certificate), +their customers should not need to do anything in order to benefit from +Certificate Transparency. The process for generating a pre-certificate is +described in [RFC6962](https://tools.ietf.org/html/rfc6962#section-3.1) and +implemented in most certificate issuance software. There is some value in also +logging the final issued certificate, as it allows CT monitors to see which SCTs +were embedded in it and thereby determine the impact of a CT log being +distrusted by a user agent. + +The Chrome team usually insist that any CT log trusted by Chrome is operated in +a fair, open manner. This means they should accept certificates issued by any +root certificate in the major root stores (managed by Microsoft, Apple and +Mozilla) and have reasonable rate limits. Therefore, it should be possible to +immediately begin submitting to most, if not all, of the logs in +[Chrome's log list](https://source.chromium.org/chromium/chromium/src/+/master:components/certificate_transparency/data/log_list.json), +so long as your root certificate is in one of these stores. You can find out +which root certificates are trusted by a CT log by downloading its +[/ct/v1/get-roots](https://tools.ietf.org/html/rfc6962#section-4.7) response. +However, note that it takes around 6 months for updates to Chrome's log list to +reach most of its users, so relying on SCTs from recently-added CT logs may +cause a certificate to only satisfy Chrome's policy in the latest version of +their browser. + +### Testing + +Many CT log operators run test logs for CAs to perform integration testing +against, e.g. - +[Google's testtube log](certificate.transparency.dev/known-logs) - +[Comodo's Dodo log](https://github.com/Comodo-CA/CTLogs-AcceptedRoots) - +[Let's Encrypt's Testflume log](https://letsencrypt.org/docs/ct-logs/) + +These are typically free to use but require that you send them your root +certificate first. They may have additional requirements as well, e.g. that the +root certificate's subject contains the word "test". + +## User Agent + +There are a few things that a user agent can do to improve security for their +users using Certificate Transparency. + +### Verifying SCTs + +The simplest thing that a user agent can do is verify that a certificate is +accompanied by a reasonable number of +[SCTs](https://certificate.transparency.dev/howctworks) with valid signatures. +This requires [a list of trusted CT logs] containing their public keys. + +### Checking a certificate for inclusion in CT logs + +A user agent can confirm that an SCT has been honoured (an SCT is a promise to +include a certificate in a log) by requesting an inclusion proof from the CT log +that issued it. This requires having an STH (signed tree head) from that CT log +that is newer than the SCT by at least that log's MMD (maximum merge delay). +Requesting an inclusion proof may compromise the user's privacy (by revealing to +that CT log that the user visited the website with the corresponding +certificate) so a privacy-preserving method of requesting the proof should be +used. This is an area of active research at Google, as well as in academia. diff --git a/content/markdown/known-logs.md b/content/markdown/known-logs.md new file mode 100644 index 0000000..9cd877f --- /dev/null +++ b/content/markdown/known-logs.md @@ -0,0 +1,102 @@ +--- +title: Google / Known Logs +url: /google +layout: markdown +aliases: + - /known-logs +--- + +# Known Logs + +The list of CT Logs that are currently compliant with Chrome's CT policy (or +have been and were disqualified), and are **included in Chrome**: +https://www.gstatic.com/ct/log_list/v2/log_list.json + +`log_list.json` is signed by Google, the signature being hosted at: +https://www.gstatic.com/ct/log_list/v2/log_list.sig + +`log_list.json` and the corresponding log_list.sig can also be obtained by +downloading the zip file containing both of them, found at: +https://www.gstatic.com/ct/log_list/v2/log_list.zip + +The public key to verify `log_list.sig` can be found at: +https://www.gstatic.com/ct/log_list/v2/log_list_pubkey.pem + +The list of all known and announced CT Logs: +https://www.gstatic.com/ct/log_list/v2/all_logs_list.json + +Both `log_list.json` and `all_logs_list.json` conform with the following schema: +https://www.gstatic.com/ct/log_list/v2/log_list_schema.json + +To check whether Logs are currently **pending inclusion in Chrome**, check the +Chromium inclusion bugs: +[https://crbug.com/?q=component%3AInternals>Network>CertTrans](https://crbug.com/?q=component%3AInternals>Network>CertTrans) + +## Special Purpose Logs + +{{< log-callout url="https://ct.googleapis.com/daedalus/" base64LogID="HQJLjrFJizRN/YfqPvwJlvdQbyNdHUlwYaR3PEOcJfs=" operator="Google" contact="google-ct-logs@googlegroups.com" >}} + +Daedalus is not trusted by Chrome. It only logs certificates that have expired. +See the announcement post [announcement post](https://groups.google.com/forum/#!topic/certificate-transparency/GUgWzCSN30I). + +{{< log-callout url="https://ct.googleapis.com/submariner/" base64LogID="qJnYeAySkKr0YvMYgMz71SRR6XDQ+/WR73Ww2ZtkVoE=" operator="Google" contact="google-ct-logs@googlegroups.com" >}} + +Submariner is not trusted by Chrome. It only logs certificates that chain to +roots that are on track for inclusion in browser roots or were trusted at some +previous point +[announcement blog post](https://security.googleblog.com/2016/03/certificate-transparency-for-untrusted.html). + +## Test Logs + +These logs are intended for **testing purposes only** and will only log +certificates that chain to a test root explicitly added to it. + +To add a test root to the Google test Logs, please email +`google-ct-logs@googlegroups.com` + +A test root should: + +1. have a certificate `Subject` field that: + + a) includes the word `test`, `dev`, `demo` or `staging` (to reduce the + chance of real certificates being mixed up with test certificates). + + b) identifies the organization that the test root is for (to allow easy + classification of test traffic). + +2. not allow real certificates to chain to it, either because: + + a) it is a self-signed root CA certificate identified as a test certificate + (as above). + + b) it is an intermediate CA certificate that chains to a root certificate + that is also identified as a test certificate. + +3. be a CA certificate, by: + + a) having CA:TRUE in the Basic Constraints extension. + + b) include the 'Certificate Sign' bit in the Key Usage extension. + +4. be in PEM format (with a .cer or .pem extension). + +For historical reasons, Google's test logs include some test roots that do not +comply with all of the above requirements. + +Google's test Logs are: + +{{< log-callout url="https://ct.googleapis.com/logs/crucible/" base64LogID="w78Dp+HKiEHGB7rj/0Jw/KXsRbGG675OLPP8d4Yw9fY=" operator="Google" contact="google-ct-logs@googlegroups.com" >}} + +{{< log-callout url="https://ct.googleapis.com/logs/solera2018/" base64LogID="UutLIl7IlpdIUGdfI+Q7wdAh4yFM5S7NX6h8IDzfygM=" operator="Google" contact="google-ct-logs@googlegroups.com" expiryRange="Jan 01 2018 00:00:00Z inclusive to Jan 01 2019 00:00:00Z exclusive" >}} + +{{< log-callout url="https://ct.googleapis.com/logs/solera2019/" base64LogID="C3YOmouaaC+ImFsV6UdQGlZEa7qIMHhcOEKZQ4ZFDAA=" operator="Google" contact="google-ct-logs@googlegroups.com" expiryRange="Jan 01 2019 00:00:00Z inclusive to Jan 01 2020 00:00:00Z exclusive" >}} + +{{< log-callout url="https://ct.googleapis.com/logs/solera2020/" base64LogID="H8cs5aG3mfQAw1m/+WyjkTVI6GRCIGEJUum6F3T3usc=" operator="Google" contact="google-ct-logs@googlegroups.com" expiryRange="Jan 01 2020 00:00:00Z inclusive to Jan 01 2021 00:00:00Z exclusive" >}} + +{{< log-callout url="https://ct.googleapis.com/logs/solera2021/" base64LogID="o8mYRegKt84AFXs3Qt8CB90nKytgLs+Y7iwS25xa5+c=" operator="Google" contact="google-ct-logs@googlegroups.com" expiryRange="Jan 01 2021 00:00:00Z inclusive to Jan 01 2022 00:00:00Z exclusive" >}} + +{{< log-callout url="https://ct.googleapis.com/logs/solera2022/" base64LogID="aXqvyhprU2+uISBQRt661+Dq6hPSQy5unY+zefK5qvM=" operator="Google" contact="google-ct-logs@googlegroups.com" expiryRange="Jan 01 2022 00:00:00Z inclusive to Jan 01 2023 00:00:00Z exclusive" >}} + +{{< log-callout url="https://ct.googleapis.com/logs/solera2023/" base64LogID="+X6XuNM+96FZAqU6GeF5kOXcQGoDGCW6rZPpj5ucacs=" operator="Google" contact="google-ct-logs@googlegroups.com" expiryRange="Jan 01 2023 00:00:00Z inclusive to Jan 01 2024 00:00:00Z exclusive" >}} + +{{< log-callout url="https://ct.googleapis.com/testtube/" base64LogID="sMyD5aX5fWuvfAnMKEkEhyrH6IsTLGNQt8b9JuFsbHc=" operator="Google" contact="google-ct-logs@googlegroups.com" >}} diff --git a/layouts/markdown/single.html b/layouts/markdown/single.html new file mode 100644 index 0000000..24df353 --- /dev/null +++ b/layouts/markdown/single.html @@ -0,0 +1,21 @@ +{{ define "main"}} + +
+
+
+
+
+

{{ .Title }}

+ {{ if .Params.show_table_of_contents }} +

Contents:

+ {{ .TableOfContents }} + {{ end }} +
+
+ {{ .Content }} +
+
+
+
+ +{{end}} diff --git a/layouts/shortcodes/log-callout.html b/layouts/shortcodes/log-callout.html new file mode 100644 index 0000000..055d864 --- /dev/null +++ b/layouts/shortcodes/log-callout.html @@ -0,0 +1,25 @@ +{{/* + Copyright 2020 Google LLC + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + */}} + +
+

{{ .Get "url" }}

+

Base64 Log ID: {{ .Get "base64LogID" }}

+ {{ if .Get "expiryRange" }} +

{{ .Get "expiryRange" }}

+ {{ end }} +

Operator: {{ .Get "operator" }}

+

Contact: {{ .Get "contact" }}

+
diff --git a/static/img/markdown/chrome_scts.png b/static/img/markdown/chrome_scts.png new file mode 100644 index 0000000..fb27bc8 Binary files /dev/null and b/static/img/markdown/chrome_scts.png differ