[Cryptography] The Trouble with Certificate Transparency

Bear bear at sonic.net
Sat Sep 27 15:13:57 EDT 2014 

On Fri, 2014-09-26 at 20:29 -0700, Watson Ladd wrote:

> > 1. With blockchains, only the owner of a domain can update SSL certificates.
> > With CT and X.509, your domain does not belong to you exclusively, and
> > therefore thousands of others can create SSL certs for your domain.
> 
> That's actually a feature, not a bug. We want to be able to steal
> wallmart.com or goldmansachs.com from a domain squatter and transfer
> it
> It also solves lost names: if someone loses the keys for xkcd.com,
> fpqc.com is not as valuable as a replacement. This is not the case for
> Bitcoin.

I am no longer convinced that this use case is worth the security 
costs.  

DNS records and CA certificates which can be altered by people who 
do not own the current ones, cause DNS cache poisoning attacks 
we've known about for a long time, but more recently we've been
discovering that these pieces of infrastructure are opening EVERYONE 
up for massive bulk MITM monitoring by anybody who can obtain 
compliance from ISP's, hardware manufacturers, or backbone sites. 
The NSA was only an example case; the real-world attacks are bound
to be as widespread as the vulnerabilities. 

Which, by the time you go down the list of actors, includes not just
lawful authorities who settle legitimate business claims in free 
nations, but also the large ISP's, hardware manufacturers, and 
operators of backbone sites themselves, many of whom have commercial
interests in monitoring traffic.  And it also includes every criminal
organization who is able to infiltrate them or, with normal levels of
corruption that vary worldwide, pay them an adequate bribe.  And
finally, it also includes pretty much every police and spy agency 
of every government of nations where hardware is manufactured and 
every petty dictatorship that traffic passes through.  

Seriously, think about that "made in [[COUNTRY]]" sticker on most 
of the hardware in your home, and ask yourself what's the general 
level of corruption in those countries for purposes of bribing or 
infiltrating the manufacturers, what the government powers are for 
coercing those manufacturers, and how much we really trust all the
people whose fingers could be inside that box.

All told it's just not worth it.  It would be cheaper for businesses 
to just make the one-time payments to domain squatters to buy the
names.  Legitimizing domain-squatting for revenue is far less costly 
to business in the long run than the follow-on effects of the
infrastructure required to de-legitimize it.

>  The "right approach" is to use a blockchain to monitor what certs are out there.

Blockchains help to achieve consensus; but they do not distinguish 
defense from attack.  

There may be a blockchain-based protocol that meets the requirements 
here.  If, for example, like Bitcoin somebody is willing to pay
65 thousand dollars per hour (at current prices) for security.  But 
be very careful about saying a blockchain solves the problem if 
you don't have a very clear idea about what motivates people to 
secure the chain and why that's more valuable than what motivates
other people to attack it.  Otherwise you have to develop an 
asymmetric advantage for the defenders over the attackers, which 
leads you into the problem of distinguishing defense from attack, 
which leads right back into the problem we have now of who can 
be bribed, coerced, infiltrated, or subverted.


			Bear

More information about the cryptography mailing list