Question about v1, v2 CT log turndown
961 views
Skip to first unread message
Rodrigo Brauwers
Sep 20, 2022, 5:13:35 AM9/20/22
to certificate-transparency
Hello,
The v1 and v2 CT log will turndown on 2022-10-17, as announced here.
My question is:
After the turndown, the v1 and v2 CT log lists will be completely inaccessible, returning a 404 error?
Or those lists will continue to be accessible, but will no longer be updated?
The v1 and v2 CT log will turndown on 2022-10-17, as announced here.
My question is:
After the turndown, the v1 and v2 CT log lists will be completely inaccessible, returning a 404 error?
Or those lists will continue to be accessible, but will no longer be updated?
Thanks
Roger Ng
Sep 20, 2022, 6:46:25 AM9/20/22
to certificate-transparency
Hello,
The CT log list v1 and v2 will return the 404 error after the turndown. We avoid serving stale data.
Cheers,
Roger on behalf of the Google CT Team
Roger on behalf of the Google CT Team
Rodrigo Brauwers
Sep 21, 2022, 4:54:59 AM9/21/22
to certificate-transparency
This known library that implements certificate transparency for Android still use v2 log list:
Appmattus - Certificate transparency
Any chance to postpone the v2 log list turndown, so the maintainers of that library can release a fix switching to v3 log list?
Otherwise I'm afraid many apps that uses that library will suffer an outage.
Thanks
Any chance to postpone the v2 log list turndown, so the maintainers of that library can release a fix switching to v3 log list?
Otherwise I'm afraid many apps that uses that library will suffer an outage.
Thanks
Roger Ng
Sep 28, 2022, 11:34:50 AM9/28/22
to certificate-transparency
Hello Rodrigo,
We want to avoid problems with the v1 and v2 CT log list turndown, and have done our best to do so by:
- waiting over a year after the v3 log list release, and providing a 2-month notice of the turndown.
- providing a simple workaround to update the base URL to v3 that apps can use immediately.
There is a PR to get this issue fixed in appmattus/certificatetransparency. We hope it will get merged quickly.
Waiting indefinitely for all tools and dependencies to migrate to v3 log list is not feasible, but we'll delay the v2 log list turndown by another month to 2022-11-17, to allow for the library and dependent apps to be updated. Note that we're still planning to turn down the v1 log list on 2022-10-17.
Cheers,
Roger on behalf of Google CT Team
Roger on behalf of Google CT Team
Rodrigo Brauwers
Sep 28, 2022, 12:09:00 PM9/28/22
to certificate-transparency
Hello Roger,
Thank you for your attention. Delaying v2 log list to 2022-11-17 will be of great help.
Thank you for your attention. Delaying v2 log list to 2022-11-17 will be of great help.
Mathieu Heetch
Nov 4, 2022, 10:31:00 AM11/4/22
to certificate-transparency
Hello Roger,
Our company was still using the v2 log list, and we didn't notice the announcement of the turndown.
We're right now updating our app to switch to v3 log list, but this won't solve the issue for the whole user base with old app versions. And when you'll stop publishing v2 CT logs on Nov 17th, our old app versions won't work anymore (and won't be able to redirect to the latest app on the Play Store);
--> Would it be possible to delay by 1 more month the v2 log list turndown, or do you have some alternative solutions to mitigate the issue for old app versions?
Thanks in advance for your support,
Mathieu
Roger Ng
Nov 4, 2022, 11:47:21 AM11/4/22
to certificate-transparency
Hello Mathieu,
Cheers,
Roger on behalf of Google CT Team
We have been closely monitoring the situation in the third party library (https://github.com/appmattus/certificatetransparency).
We are pleased to announce that the v2 log list endpoints will serve the v3 log list, which is backward compatible with v2, for another 90 days starting on 2022-11-17. The v2 log list endpoints will start returning 404 on 2023-02-15.
The following v2 log list endpoints will serve v3 log list data between 2022-11-17 and 2023-02-15:
If there are any questions or concerns about this, please reply to this email for further discussion.
We are pleased to announce that the v2 log list endpoints will serve the v3 log list, which is backward compatible with v2, for another 90 days starting on 2022-11-17. The v2 log list endpoints will start returning 404 on 2023-02-15.
The following v2 log list endpoints will serve v3 log list data between 2022-11-17 and 2023-02-15:
- all_logs_list.json (v2 endpoint, v3 data)
- log_list.json (v2 endpoint, v3 data)
- log_list.sig (v2 endpoint, v3 data)
- log_list.zip (v2 endpoint, v3 data)
- log_list_pubkey.pem (v2 endpoint, v3 data)
- log_list_schema.json (v2 endpoint, v3 data)
If there are any questions or concerns about this, please reply to this email for further discussion.
Cheers,
Roger on behalf of Google CT Team
hussnain javed
Jan 16, 2023, 6:56:44 AM1/16/23
to certificate-transparency
Dear All,
I need some guidance. I got a message on the Google play console regarding one of my Live apps.
Your app has been identified as having a dependency on com.appmattus.certificatetransparency. Due to the v2 log list turndown on November 17, 2022, you need to upgrade to use v3 log list to avoid potential app crashes.
A workaround is available before the fix is merged and released. You are advised to apply the workaround in your app and publish a new version to Google Play as soon as possible.
The v2 log list endpoints will serve the v3 log list, which is backward compatible with v2, for 90 days starting on November 17, 2022. The v2 log list endpoints will start returning 404 on February 15, 2023.
-------------------------------------------------------------------------------------------------------------------------------
I am unable to find the Dependency which is using this "com.appmattus.certificatetransparency" as I have searched my whole project/ modules. Please guide me regarding the following question:
1) How can I find which dependency is using "com.appmattus.certificatetransparency"?
2) What will be the impact if we don't upgrade to V3 from V2? will it cause crashes in the front-end app?
I am Waiting for your kind response.
Best Regard's
Hussnain Javed
Roger Ng
Jan 17, 2023, 12:51:21 PM1/17/23
to certificate-transparency
Hello Hussnain,
I believe your app has a dependency which depends on com.appmattus.certificatetransparency. Have you tried the gradlew command to list out the dependency tree? Please send me the package name of your app privately if you do not want to post it in this thread.
The exception VerificationResult.Failure.LogServersFailed will be thrown from com.appmattus.certificatetransparency if the v2 log list endpoint returns 404. The impact depends on how your dependency package handles the exception.
Note that the default Android disk cache policy is 1 month. Most likely the app users will not be impacted at the same time.
Cheers,
Roger on behalf of Google CT Team
Roger on behalf of Google CT Team
hussnain javed
Feb 3, 2023, 5:51:37 AM2/3/23
to certificate-transparency
Dear Roger,
Thanks for your kind response. Yes, I have tried ./gradlew app:dependencies command in my Android Studio project and got many dependencies but still unable to find that which dependency is using this com.appmattus.certificatetransparency, as no package name is found in a result that is got from above-executed command.
1) is there any other way or command to find that which library/SDK is using
com.appmattus.certificatetransparency in my project as 15 February is near?
2) Please share your full email address so that I can share my app package name/ID with you.
3) is there any chance of the date being extended for the migration from V2 to V3?
Waiting for your kind response.
Hussnain Javed
Android Developer
Roger Ng
Feb 3, 2023, 12:12:54 PM2/3/23
to certificate-transparency
Hi Hussnain,
I have sent you a private message to follow up. Please share the package name in that email. Note that you will still receive the Play Console message if one of your apps is impacted.
Cheers,
Roger on behalf of Google CT Team
Roger on behalf of Google CT Team
hussnain javed
Feb 6, 2023, 1:31:32 AM2/6/23
to certificate-...@googlegroups.com
Dear Roger,
Thanks for your response. I have shared the package name with you in a private email with some other details.
Waiting for your swift response to rectify this issue
Hussnain Javed
Android Developer
--
You received this message because you are subscribed to a topic in the Google Groups "certificate-transparency" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/certificate-transparency/otRk_9FZTEA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to certificate-transp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/f45145d2-81a5-4728-80b2-925458ecb791n%40googlegroups.com.
Sahil Mahajan
Feb 15, 2023, 7:36:04 AM2/15/23
to certificate-transparency
Dear Roger,
We connect on LinkedIn. We are using appmatus lib for certificate transparency. And our network traffic is not able to connect to our servers due to the v2 log issue which expired on 15 Feb 23. Requesting if can we extend this 90 days valid time to one more day or if is there any other way to start the flow of traffic using the v2 log list. We are India’s largest gaming company WinZO. Can you please help us on the same matter? Highly appreciated.The impact on our business is huge. We have off-the-deck/playstore distribution through our website www.winzogames.com. We have 100 million registered users and this transition would require us to float a new APK/ force update. As you would know there is a significant funnel drop. Our app-only business is down for the last 2 hours and we are losing significant traffic every second.Kindly help us.Requesting for a quick response.
Thanking much in anticipation.
Reply all
Reply to author
Forward
0 new messages