[Cryptography] The Trouble with Certificate Transparency
Greg
greg at kinostudios.com
Sat Sep 27 01:34:46 EDT 2014
On Sep 26, 2014, at 8:07 PM, Tony Arcieri <bascule at gmail.com> wrote:
> In the James Mickens security scale of "Not Mossad" to "Mossad", your attack falls into the class of "Mossad".
1. It does not.
2. Even if it did, that would still be a problem, as it's not "Mossad", it's NSA, GCHQ, and yes, they are probably MITMing your connection right now as we speak :P.
All that's necessary to pull of this attack (currently) is just one rouge Clog (CA/log combo).
Say the RFC changes and requires two SCTs.
You only need one rouge Clog for the attack to work and be undetected.
1. Rouge Clog creates fraudulent cert and SCT
2. It sends the cert to another log (a good one), thus obtaining two SCTs
3. It MITMs connections to the website
4. Gossip proceeds as normal. Nothing is blocked. All clients see the correct STHs for the Clog.
5. Clog finishes its dirty business and re-instates the original certificate.
Before, during, and after the attack, all clients see the correct STHs, get their Merkle consistency and audit proofs from the clog, and proceed like normal.
The only thing that could detect this are the Monitors, but they aren't going to save you because they would need to monitor *all* logs for *all* domains and alert *everyone* about those changes (difficult enough, you'd need a... b-b-b-blockchain!) and get those alerts safely (without censorship or tampering) to everyone on Earth.
More info:
http://www.ietf.org/mail-archive/web/trans/current/msg00588.html
> Here's the problem with that: you lose. The end.
Yes, Game Over for Certificate Transparency.
Maybe the blockchain can save it, but if it does, people will realize that they don't need Certificate Transparency, so it's Game Over either way.
Cheers,
Greg Slepak
--
Please do not email me anything that you are not comfortable also sharing with the NSA.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140926/1bf809d0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140926/1bf809d0/attachment.sig>
More information about the cryptography
mailing list