> Do I tell mozilla and google that "someone issued cert id 4d8effdd25 for my nextcloud installation (or my forum where some rebellious users meet up sometimes) to mitm me, but it was not me".

Yes, this is exactly what you should do. There's a very active list by mozilla ("dev-security-policy") where CA missteps are discussed on a regular basis, that's a good place to bring up all issues with CAs (however most of them are much more minor than a mitm attack with a fake cert - the day to day business is more "this cert violates RFC something").

> Will they belive me?

Well, the malicious issuance of a certificate is high profile enough that they will at least investigate and the CA will have to show some evidence how the cert has been issued.

> And it will be probably to late anyway, because propagation to a CT log can take up to one day, so they got data on all the traffic for a whole day.

That is in principle true. CT does not directly prevent attacks. But the general idea is this: CT makes it very likely that attacks get detected. A malicious attack by a CA is almost certainly the end of their cert business. So while an attack is still possible, it becomes very expensive, you basically have to sacrifice a working business.

Yes, it would be too late for you, but it would also be too late for the CA in this story, since the purpose of these technologies is to create and preserve a "smoking gun" and now everybody can see they aren't trustworthy.

In most countries, law enforcement are disinclined to use tools that will only work once - because what if they need that tool tomorrow for something more important? So this provides you with a bit of herd immunity, there is probably someone doing something naughtier than you who would be a better target.

It is also legally easier to get away with demanding that somebody do something they already _can_ do than to demand they come up with a way to do something they can't already do. British courts for example asked Internet Service Providers "Do you have a way to block web sites, e.g. for having child pornography on them?" and all the big ISPs said "Oh yes, we have that" and then the courts said "Aha. OK, then you must use that to also block copyright infringements, Hollywood will tell you what to block". But for the tiny ISPs like mine that said "No, we just move bits - nazis, child porn, bomb making, if it's illegal then you should convict the people doing it, not our problem" the courts said "Then it would be outrageous for us to demand you do as Hollywood asks, carry on as you were".

Because CT logging is mandated by Google, most CAs are building systems that automatically log everything. So then "Issue this but don't log it" becomes a huge ask, the front line guy the secret police get to says "I don't have a way to do that, it always logs everything" and that increases the chance the spooks get forwarded to an executive who says "Woah, this suicides my whole company, you better get yourselves a warrant, and I am calling my lawyer right now".

> I would have to check regularly on CT logs

You would indeed, which is part of the reason I released this service + libraries, so some enterprising developer can build a nice alerting service with it for folks just like you!

> Do I tell the mozilla that "someone issued cert id 4d8effdd25 for my nextcloud installation

Not exactly, I believe you'd probably contact the certificate issuer who issued the original certificate to have them issue a revocation, but my sincere hope is that folks running CAs will eventually come up with some better method for flagging certificates as bad/malicious than "just email Symantec support", since I wouldn't wish that on anyone.

>so some enterprising developer can build a nice alerting service

I launched https://ctadvisor.lolware.net/ some time ago.

Oh very cool! I hadn't seen this. Good stuff! http://cdn.ebaumsworld.com/mediaFiles/picture/718392/8489089...

Thank you! And yes, I definitely don't have a designer :p

one could also use crt.sh and the RSS feed.

> Do I tell the mozilla that "someone issued cert id 4d8effdd25 for my nextcloud installation

Basically. You'd send a report to the CA telling them there was a misissuance, and if their answer isn't to your satisfaction, you can report it to Mozilla and the other browsers on the public mailing list, claiming a misissuance by the CA. The browsers would then force the CA to follow up.

The CA in question is the German government itself (which happens to be trusted in all browsers).

They're almost exclusively used for digital ID servives (and, according to some sources, MitM), and are in browsers anyway. CT won't help with that.

The BSI is not the/a German police as you know. I don't think any of their certificates is trusted by browsers. The Bundesdruckerei certificate is though but neither are they a police force.

Do you have any source for that certificate being used for MitM?

The BSI is part of the executive, just as the police or the intelligence agencies, and its certs have been abused for that before.

There are a few stories about this in the 2013 Snowden data actually, the SPIEGEL published stories about that back then, too.

I have never heard of any of their certs being abused before and I have followed the Snowden revelations closely. The only thing I know of are some vague "cooperations with the NSA" that never have been described more closely. I don't think they even have a root certificate trusted by browsers. A publicly owned company (the Bundesdruckerei) does, however.

I have to be honest, I don't care that much about the details on this.

I'm far more enraged by the decision of the Bundesdruckerei to not offer on-card signing features for the ePerso anymore.

Instead, you have to use their web service to sign, and it costs you even more money. And is obviously ridiculously insecure.

Then please don't go around claiming "the German police has a trusted root CA and has used it for MitM in the past" if you don't actually know that.

It's not part of CT, nor does it fully solve the issue, but you might also like Certificate Authority Authorization. CAA allows you to publish what CAs are acceptable for your domain via DNS. CAs shouldn't issues certificates against that. Of course that doesn't protect against a rogue, compromised or coerced CA, but it does protect against phony requests to the CA.

As you said, that only protects against CAs that follow the CA/B Forum Baseline Requirements that require they check CAA at issuance time.

If a government was coercing a CA, they'd just tell them to disable this check. If this can be proven it's grounds to start the distrust process. At the very least, they should fail their next WebTrust audit.

It also doesn’t protect against compromised DNS, does it?

We're building this into the Cloudflare dashboard: the ability to monitor CT logs for issuance of certificates containing your domain name.

> "So to be sure nobody issued a cert for one of my properties I would have to check regularly on CT logs to be sure that only certs requested by me are issued."

CertSpotter does this for you automatically: https://sslmate.com/certspotter/

That's what the CAA dns records are meant to prevent. It tells Certificate Authorities which of them are allowed to issue for your domain.

Couple that with most providers requiring you to prove your domain via DNS or organizational status and you narrow the attack window.

Also I'd assume that as the owner of a domain, you'd be able to revoke any certificate for your domain that you didn't create.

That is mostly true, unless it's malicious Certificate Authority which may, on behalf of a governments request, ignore the CAA record on purpose to generate a certificate.

This is where a TLSA record would help to prevent malicious certificates. At least, if the client (browser) validates TLSA records.

Maybe that's the piece of the puzzle that's missing here? Being able to revoke a cert automatically by proof of domain ownership?