[cryptography] The Trouble with Certificate Transparency

Paul Wouters paul at cypherpunks.ca
Fri Sep 26 22:31:00 EDT 2014


On Fri, 26 Sep 2014, Greg wrote:

>       But what about normal people?  I have to check up to 1000 different logs
>       to see if I've been attacked?  And if I find out that's the case, would
>       people care about little old me enough to burn a CA such as Comodo?
>
>       It seems CT could potentially be of benefit to some large organizations
>       while having little to no impact on ordinary people like myself.  If
>       that's wrong I'd like to know how/why.
> 
> That is a remarkably insightful observation that I did not think of myself, and so far as I
> know it's a criticism of CT that no one has brought up before. Thank you for that.

Anyone is free to start audit logs and anyone is free to query audit
logs. I'm sure there will be some healthy things appearing our of the
free market or the non-profit area with a nice browser or OS plugin.

Of course, one has to be careul not to make the same privacy mistakes as
CRL/OCSP did. But we have other decentralised methods that have better
privacy (such as dnssec, onion sites or whatever blockchain variation
you think is stable infrastructure)

>       I have to check up to 1000 different logs to see if I've been attacked?
> 
> I am not sure.

That is uhm, remarkably insightful?

> The RFC sure seems to imply that, but the problem is that Google hasn't
> finished specifying how gossip works

It's not Google that specifying that, but the trans working group. Of
which some participants are employed by google.

> For the sake of argument, let's give Google the benefit of the doubt and assume that gossip
> turns out to be 99% reliable at detecting attacks post-facto.

There is no reason you have to wait post-facto. You have the option to
check the certificate you got from the TLS server with what you got from
the audit log and gossip protocols before you send data to the TLS
server.

> There still remains a problem: what now?

You disconnect and share the received certificate with the public, so we
can all see which CA was responsible for this so we can throw them out
of the root cert store from our computers.

> This the other question you asked:
>
>       And if I find out that's the case, would people care about little old me enough
>       to burn a CA such as Comodo?
> 
> I think it depends on the situation, and the frequency with which "malfunctions" occur.
> 
> If malfunctions occur to "little old me"'s infrequently, I suspect little will be done.

That seems to go against the current market forces that want to keep or
regain the public's trust since the "NSA partner" list came out. If
caught, they will act. Shareholder value and all that.

> When I detected what was most likely a MITM attack on me, and provided evidence of it [1],
> nothing was done.
> 
> [1] https://twitter.com/taoeffect/status/463378963901849600

CertPatrol? That thing with no clue about CDNs and that never linked
publisher with consumer so every single legitimate certificate rollover
was flagged as MITM.... I would love to see a copy of that MITM cert
that "they" presented to you. Do you still have a copy of it?

> CT doesn't prevent MITM attacks. Damage will have been done.

See above. YOU decide how often you will check teh audit logs and the
gossip protocol partners. This can be totally hooked into the browser
to pass a mandatory "CT check" or prompt the user they're under attack.

Paul


More information about the cryptography mailing list