\nHear me out. If you are an organization with some spare storage and bandwidth, or an engineer looking to justify an overprovisioned homelab, you should consider running a Certificate Transparency log. It\u2019s cheaper, easier, and more important than you might think.<\/p>\n
Certificate Transparency (CT) is one of the technologies that underpin the security of the whole web. It keeps Certificate Authorities honest, and allows website owners to be notified of unauthorized certificate issuance. It\u2019s a big part of how the WebPKI went from the punchline of \u201cweakest link\u201d jokes to the robust foundation of the security of most of digital life\u2026 in less than fifteen years!<\/p>\n
CT is an intrinsically distributed system: CAs must submit each certificate to two CT logs operated by third parties and trusted by the browsers. This list is, and has been for a couple years, uncomfortably short. There just aren\u2019t as many independent log operators as we\u2019d like. Operating a log right now would be an immense contribution to the security of virtually every Internet user.<\/p>\n
It also comes with the bragging rights to claim that your public key is on _billions_ of devices.<\/p>\n
Where\u2019s the catch? Well, until recently running a log was a pain, and expensive. I am writing this because as of a few months ago, **this has changed**!<\/p>\n
<\/p>\n
Browsers now accept CT logs that implement the new Static CT API, which I designed and productionized in collaboration with Let\u2019s Encrypt and the rest of the WebPKI community over the past year and a half. The key difference is that it makes it possible to serve the read path of a CT log exclusively through static, S3 and CDN friendly files.<\/p>\n
Moreover, the new Sunlight implementation, sponsored by Let\u2019s Encrypt, implements the write path with minimal dependencies and requirements. It can upload the Static CT assets directly to object storage, or store them on any POSIX filesystem.<\/p>\n
You can learn more if you are curious in Let\u2019s Encrypt\u2019s retrospective, in the original Sunlight design document, or in the summarized public announcement.<\/p>\n
Geomys, my open source maintenance firm, operates a pro-bono Sunlight-backed trusted Static CT log for $10k\/year, including hardware amortization, colocation, and bandwidth. I\u2019m sure it can be done for cheaper.<\/p>\n
## The shopping list<\/p>\n
Ok, so what does it take to run a CT log in 20254?<\/p>\n
* Servers: one. No need to make the log a distributed system, CT itself is a distributed system.
* If you want to offer redundancy you can run multiple logs.
* The uptime target is 99%3 over three months, which allows for nearly 22h of downtime. That\u2019s more than three motherboard failures per month.
* CPU and memory: whatever, **as long as it\u2019s ECC memory**. Four cores and 2 GB will do.
* Bandwidth: 2 \u2013 3 Gbps outbound.
* Storage: you have two options.<\/p>\n
* 3 \u2013 5 TB of usable redundant filesystem space on SSDs1.<\/p>\n
* 3 \u2013 5 TB of S3-compatible object storage, and 200 GB of cache on SSD.<\/p>\n
Static CT logs are just flat static files, which you can serve with any HTTP server2 from disk, or expose as a public object storage bucket.<\/p>\n
* People: at least two. The Google policy requires two contacts, and generally who wants to carry a pager alone.<\/p>\n
That\u2019s pretty much it!<\/p>\n
Durability is the first priority: it\u2019s really important that you never lose data once it\u2019s fsync\u2019ed to disk or PUT to object storage, since your log will have signed and returned SCTs, which are promises to serve the certificates it received. This means for example that backups are useless: they would rollback the log\u2019s state.<\/p>\n
In terms of ongoing effort, a log operator is expected to read the Google and Apple CT Log policies, monitor the ct-policy@chromium.org mailing list, update the log implementation from time to time, and rotate log temporal shards every year. (For example, we just stood up 2027 shards of our log.)<\/p>\n
Given the logs lifecycle, you should plan to stick around for at least three years.<\/p>\n
## Sign me up!<\/p>\n
If you want to become a CT log operator, first of all\u2026 thank you!<\/p>\n
The Sunlight README was rewritten recently to get you up and running easily. Sunlight is highly specialized for Certificate Transparency and the WebPKI, and it\u2019s designed to help you operate a healthy, useful CT log with minimal configuration.<\/p>\n
The community is eager to welcome new log operators. You can post questions, reports, and updates on the transparency.dev Slack, ct-policy mailing list, or Sunlight issue tracker. I encourage you to reach out even just to share your plans, or to ask any questions you might have before committing to running a log.<\/p>\n
You might also want to follow me on Bluesky at @filippo.abyssdomain.expert or on Mastodon at @filippo@abyssdomain.expert.<\/p>\n
## The picture<\/p>\n
I _systematically_ make the mistake of reaching a beautiful spot with my motorcycle, watching the sunset, and _then_ realizing “oh, shoot, now it’s dark!” This time, the motorcycle didn’t start, too, and it was the first ride of the season in January. Got to read A Tour of WebAuthn by Adam Langley, though, so who can say if it was good or bad.<\/p>\n
<\/p>\n
Geomys, my Go open source maintenance organization, is funded by Smallstep, Ava Labs, Teleport, Tailscale, and Sentry. Through our retainer contracts they ensure the sustainability and reliability of our open source maintenance work and get a direct line to my expertise and that of the other Geomys maintainers. (Learn more in the Geomys announcement.)<\/p>\n
Here are a few words from some of them!<\/p>\n
Teleport \u2014 For the past five years, attacks and compromises have been shifting from traditional malware and security breaches to identifying and compromising valid user accounts and credentials with social engineering, credential theft, or phishing. Teleport Identity is designed to eliminate weak access patterns through access monitoring, minimize attack surface with access requests, and purge unused permissions via mandatory access reviews.<\/p>\n
Ava Labs \u2014 We at Ava Labs, maintainer of AvalancheGo (the most widely used client for interacting with the Avalanche Network), believe the sustainable maintenance and development of open source cryptographic protocols is critical to the broad adoption of blockchain technology. We are proud to support this necessary and impactful work through our ongoing sponsorship of Filippo and his team.<\/p>\n
* * *<\/p>\n
1. It _might_ be possible to run this on HDD. The write path would probably be fine, but the read path serves a lot of files with random accesses. Maybe with a large SSD cache layer. \u21a9<\/p>\n
2. Or with Sunlight\u2019s specialized HTTP read path, called Skylight, which has a bunch of nice metrics and health checks. \u21a9<\/p>\n
3. Yep, two nines. Availability of the write path in particular is not a big deal at all: CAs will just fallback to other logs. Availability of the read path is important to ensure timely monitoring of new entries, but it\u2019s just a simple static HTTP server. Note that Google is planning to split the requirements between read and write endpoints, and to require higher availability on the read path. \u21a9<\/p>\n
4. It\u2019s possible the requirements will grow in the future because of short-lived certificates and\/or post-quantum signatures, but the ecosystem is very aware of the potential burden on CT log operators, and there are a number of proposals to mitigate it, such as Merkle Tree Certificates and Verifiable Indexes. I am optimistic this will be solved, but even if it won\u2019t you can always turn your log read-only without disrupting the ecosystem, should it get too large. \u21a9\n<\/p><\/div>\n
View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Security Update News Update Information Title You Should Run a Certificate Transparency Log Update ID FILIPPOIO:90B49C627A7C3F3954F12938392E364B Type filippoio Published 2025-07-07T17:47:49 Last Updated 2025-07-07T17:47:49 Security Impact…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,162,13,33,7,11,5],"class_list":["post-7739","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-filippoio","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n
You Should Run a Certificate Transparency Log - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=7739\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"You Should Run a Certificate Transparency Log - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title You Should Run a Certificate Transparency Log Update ID FILIPPOIO:90B49C627A7C3F3954F12938392E364B Type filippoio Published 2025-07-07T17:47:49 Last Updated 2025-07-07T17:47:49 Security Impact...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=7739\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-07-07T13:36:17+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7739#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7739\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"You Should Run a Certificate Transparency Log\",\"datePublished\":\"2025-07-07T13:36:17+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7739\"},\"wordCount\":1393,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"filippoio\",\"news\",\"NONE\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=7739#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7739\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7739\",\"name\":\"You Should Run a Certificate Transparency Log - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-07-07T13:36:17+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7739#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=7739\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7739#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"You Should Run a Certificate Transparency Log\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"You Should Run a Certificate Transparency Log - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=7739","og_locale":"en_US","og_type":"article","og_title":"You Should Run a Certificate Transparency Log - zero redgem","og_description":"Security Update News Update Information Title You Should Run a Certificate Transparency Log Update ID FILIPPOIO:90B49C627A7C3F3954F12938392E364B Type filippoio Published 2025-07-07T17:47:49 Last Updated 2025-07-07T17:47:49 Security Impact...","og_url":"https:\/\/zero.redgem.net\/?p=7739","og_site_name":"zero redgem","article_published_time":"2025-07-07T13:36:17+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=7739#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=7739"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"You Should Run a Certificate Transparency Log","datePublished":"2025-07-07T13:36:17+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=7739"},"wordCount":1393,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","filippoio","news","NONE","Security","tapic","Vulnerability"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=7739#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=7739","url":"https:\/\/zero.redgem.net\/?p=7739","name":"You Should Run a Certificate Transparency Log - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-07-07T13:36:17+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=7739#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=7739"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=7739#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"You Should Run a Certificate Transparency Log"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/7739","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7739"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/7739\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7739"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7739"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7739"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}