> certificate transparency logs appear to be completely ineffective in catching CA-related name hijack events in real time.

In what sense is this true? They're effective because browsers only accept certs which can first prove that they were submitted to a CT log, and it's easy to search the CT logs for e.g. gmail.com to find potential misissuance events.

This is the first time I've heard CT described as ineffective. What gives?

It's unclear what Huston means by "real time", but in the comments section he cites the fact that it took 6 months for the misissued Symantec certificates for example.com to be noticed.

That's because the owner of example.com wasn't monitoring CT. Had they been monitoring, they would have been alerted quite quickly. As a case in point, when Certinomis misissued a certificate for test.com, my monitor notified me 16 minutes after issuance, I filed a report with Mozilla two hours after issuance, and a representative of Mozilla responded less than 3.5 hours after issuance.[1] That's pretty fast.

And now Mozilla is kicking Certinomis out, providing yet another example of how CT is improving the Web PKI. CT works.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1496088

That was really interesting to read. As a relative layment in this area. Do you have any recommendations on reading material in this area? How is your monitoring setup?

https://blog.cloudflare.com/introducing-certificate-transpar... is a very good overview of Certificate Transparency.

I've written my own Certificate Transparency monitor called Cert Spotter. I use both the standalone open source version (https://github.com/SSLMate/certspotter) and the hosted service (https://sslmate.com/certspotter) to monitor my own domains as well as several test/example domains (example.com, test.com, etc.).