On its face the idea of making a note of what certificates are created is a simple idea, but in reality CT is far from simple, and it does not actually "fix" these sorts of problems.
CT is an attempt a transparency, that's it. It cannot prevent MITM attacks because it allows unaffiliated third-parties to issue certificates on your website's behalf (same as X.509), something that they have no business doing (and is completely unnecessary).
Nor does it guarantee that mis-issued certificates will be found. The reason is partly because, as you note, it is mostly a voluntary effort on behalf of the CAs out there, but also because its design is ineffective. Even if every CA participated in CT, it would still not accomplish much:
1. It does not prevent these types of attacks from being used on users.
2. It does not guarantee that mis-issued certificates would be found because it requires website owners to query all the logs out there in order to find out whether or not someone mis-issued a certificate (a sort of needle in a haystack problem that almost no one [except maybe large companies like Google] is going to engage in, and in the end doesn't prevent attacks from happening).
Whoever downvoted the parent, how about replying to the comment instead?
We spent a good amount of effort analyzing CT, and if you believe we missed something, your reply is worth a lot more than a downvote & run.
It's odd how much effort is being put behind this effort, especially given that in this particular attack Google would have nothing to gain from CT (since all it can hope to do is tell them who issued the fraudulent cert, which they already know).
I love that they came back to downvote your appeal to good netiquette.
HN needs a learning option for downvote external validity -- consitent upvotes on something a user downvoted should degrade the weight of their downvote for all articles.
On its face the idea of making a note of what certificates are created is a simple idea, but in reality CT is far from simple, and it does not actually "fix" these sorts of problems.
CT is an attempt a transparency, that's it. It cannot prevent MITM attacks because it allows unaffiliated third-parties to issue certificates on your website's behalf (same as X.509), something that they have no business doing (and is completely unnecessary).
Nor does it guarantee that mis-issued certificates will be found. The reason is partly because, as you note, it is mostly a voluntary effort on behalf of the CAs out there, but also because its design is ineffective. Even if every CA participated in CT, it would still not accomplish much:
1. It does not prevent these types of attacks from being used on users.
2. It does not guarantee that mis-issued certificates would be found because it requires website owners to query all the logs out there in order to find out whether or not someone mis-issued a certificate (a sort of needle in a haystack problem that almost no one [except maybe large companies like Google] is going to engage in, and in the end doesn't prevent attacks from happening).
Our detailed analysis of CT is here:
https://blog.okturtles.com/2014/09/the-trouble-with-certific...