[Cryptography] The Trouble with Certificate Transparency

[Greg]

On Sep 27, 2014, at 9:20 AM, Tony Arcieri <bascule at gmail.com> wrote:

> 1) Alice wants to register the name "alice" with a NameCoin like system. Mallory wants to MitM her
> 2) Alice claims the name. Mallory intercepts her claim and produces a forked, poison block chain that contains the name "alice" with her key. Mallory registers the name "alice" with a poison key, and puts that in the "real" block chain
> 3) Bob tries to communicate with "alice" and looks up the poison data Mallory left in the block chain
> 
> A similar attack that would require a similar level of attacker capabilities.

This attack is not similar for the following reasons:

- Here, the attacker would need to continue to MITM the connection between Alice and Bob indefinitely, and that would incidentally require mining blocks for the *sole purpose* of MITMing Alice.
- This attack is trivially detectable by Alice. The second Alice checks a node/service that is not being MITM'd by the attacker (like blockchain.info), or speaks with Bob over some other channel, Alice would know she was being attacked.

In CT:

- The attack is not trivially detected once it is over.
- It does not require any extra efforts (like mining) other than issuing a fraudulent cert and using it to MITM.

Kind regards,
Greg Slepak

--
Please do not email me anything that you are not comfortable also sharing with the NSA.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140927/bc32ffbb/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140927/bc32ffbb/attachment.sig>