[Cryptography] The Trouble with Certificate Transparency
Paul Wouters
paul at cypherpunks.ca
Sat Sep 27 18:31:51 EDT 2014
On Sat, 27 Sep 2014, Greg wrote:
> The two certs (legit and false) will happily live side-by-side in the tree undetected by the gossip protocol.
That's why clients reporting a cert change to the TLS server is a very
useful tool. Once you are no longer MITM'ed and see a different cert,
you inform the legitimate owner that something bad happened. So it
becomes obvious to everyone without needing to monitor "1000s of logs",
because the owners will automatically collect rogue certs for
investigation.
For important domains (defined by the user, for example by "having been
there once before") it can simply insist on rejecting every cert change
that has not been validated by a handful of indepedant logs. That is,
without a proper prepublishing period, you will not accept the new
certificate regardles of signatures of log entries. That prevents MITM
attacks completely for sites visited before. An OS or browser could also
prefetch the top 1000 domains daily, which would prevent fingerprinting
and will preload your OS.
CT is an infrastructure for security. Like all security, you need to
use it with the right tools.
Paul
More information about the cryptography
mailing list