[Cryptography] The Trouble with Certificate Transparency
Ralf Senderek
crypto at senderek.ie
Thu Sep 25 17:22:50 EDT 2014
On Thu, 25 Sep 2014 Ralph Holz <ralph-cryptometzger at ralphholz.de> wrote:
> On 09/25/2014 10:52 AM, Ralf Senderek wrote:
> >
> > Given the powers of a post-snowden MITM, the claim in Greg's posting
> seems
> > legitimate. At the moment when the browser makes the connection it is
> > undetectable that the browser is being fooled, _unless_ the browser
> > keeps track of the certificates it's visiting over time.
> That is not what CT is for. CT is meant to detect (and prove) CAs
> misissuing certificates.
> Ralph
And that is the problem. In the above scenario it does not help to be
able to detect the misuse after successfully being MITMed. Protection
against a MITM by use of certs must work when the act of misuse
happens or the damage is done already.
--ralf
More information about the cryptography
mailing list