[Cryptography] The Trouble with Certificate Transparency
Tony Arcieri
bascule at gmail.com
Sat Sep 27 12:20:50 EDT 2014
On Fri, Sep 26, 2014 at 10:34 PM, Greg <greg at kinostudios.com> wrote:
> All that's necessary to pull of this attack (currently) is just one rouge
> Clog (CA/log combo).
>
All that's necessary for any of these organizations to defeat any of these
systems is to do a QUANTUMINSERT style attack to drop a malicious payload
onto the target system.
The best designed protocols can be easily defeated by 0days / RCE.
Maybe the blockchain can save it, but if it does, people will realize that
> they don't need Certificate Transparency, so it's Game Over either way.
>
You can MitM the block chain just as easily:
1) Alice wants to register the name "alice" with a NameCoin like system.
Mallory wants to MitM her
2) Alice claims the name. Mallory intercepts her claim and produces a
forked, poison block chain that contains the name "alice" with her key.
Mallory registers the name "alice" with a poison key, and puts that in the
"real" block chain
3) Bob tries to communicate with "alice" and looks up the poison data
Mallory left in the block chain
A similar attack that would require a similar level of attacker
capabilities.
Much like with the poison CT Merkle tree, comparing the poisoned block
chain against the real one would expose it. But the attack would've already
happened... so we find ourselves in much the same boat.
But I think that's all silly when we already know how TAO works... endpoint
security is still weak.
--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140927/c58886ea/attachment.html>
More information about the cryptography
mailing list