[Cryptography] The Trouble with Certificate Transparency
Greg
greg at kinostudios.com
Fri Sep 26 21:34:49 EDT 2014
Dear Tony,
On Sep 25, 2014, at 2:05 PM, Tony Arcieri <bascule at gmail.com> wrote:
> On Thu, Sep 25, 2014 at 1:52 AM, Ralf Senderek <crypto at senderek.ie> wrote:
> Given the powers of a post-snowden MITM, the claim in Greg's posting seems
> legitimate.
>
> This same class of attack will work on practically any system
We've already acknowledged on twitter [1] the fact that this class of attack does not work on blockchains and DNSChain.
That is for two reasons:
1. With blockchains, only the owner of a domain can update SSL certificates. With CT and X.509, your domain does not belong to you exclusively, and therefore thousands of others can create SSL certs for your domain.
2. With blockchains, censorship or DoS to the P2P network can only prevent nodes from receiving updates, it does not make them forget what they've already learned. Since most SSL certs are long-lived, the threat is far less significant than it is with CT.
Kind regards,
Greg Slepak
[1] https://twitter.com/taoeffect/status/514884562720399360
--
Please do not email me anything that you are not comfortable also sharing with the NSA.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140926/8bdd128a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140926/8bdd128a/attachment.sig>
More information about the cryptography
mailing list