[Cryptography] The Trouble with Certificate Transparency

Bear bear at sonic.net
Sun Sep 28 01:21:27 EDT 2014 

On Sat, 2014-09-27 at 14:53 -0700, Tony Arcieri wrote:
> On Sat, Sep 27, 2014 at 2:51 PM, Greg <greg at kinostudios.com> wrote:
>         Forks are protected against by PoW. It is automatic. If the
>         connection is completely censored, and they are shown only a
>         false fork that the MITM is making, that has already been
>         brought up and addressed by myself and Bear in previous
>         emails.
> 
> 
> What if a MitM prevents you from ever seeing the longer fork? 

That is really hard to do.  

A blockchain is public; it should be the same for everybody you
communicate with, and everybody *ELSE* communicating using the 
same structure.  Its caching structure and request structure reflect
this; the people who have it will cache, forward, and share it 
promiscuously. And to prevent your MITM target from seeing it, 
you have to shut all of them up.

He doesn't even need to identify yourself in order to get the current
top node of the blockchain, from any peer, at any time.  He can close
his connection, walk down to the coffeeshop, and reopen the connection.
You either abandon the MITM on him and then he knows instantly that 
he was on a bad fork, or somehow expand it in midstream to include 
all the customers at the coffee shop who are on the same wi-fi 
server, because the server will be serving all their requests for the 
same data out of the same cache. 

If he knows *anyone* using the protocol, and can't sync up with 
them on the same version of the blockchain, he knows there's 
something wrong.  So the attacker can't MITM one target; he has 
to block everyone that target knows as well.  And this isn't even 
a stable set; The guy you're attacking walks into a Wal-Mart, his 
cell phone connects with their free wifi, and if anybody else in 
the store is using the same blockchain, you lose, because he's 
going to see the version cached on the server you haven't been 
MITMing up to that point.  Or, if he doesn't because you can 
pwn Wal-mart's server so fast, on demand, that he never sees the 
legit blockchain, then a bunch of Wal-Mart customers you haven't 
been MITMing up to that point have to be transitioned from the
non-attack version of the blockchain to the attack version, 
which they're all going to notice. 

Because there's no need for anyone to identify themselves to get the
correct current version of the blockchain, I think it would be really
hard for an MITM to single out a target or small subset to show a
different version of the blockchain to -- or, especially, to prevent 
a particular target or small subset from seeing any other version of 
the blockchain anywhere.  

So, yes, in some artificial universe, for an hour or two at a time, 
someone might be able to MITM a blockchain protocol.  But on an ongoing
basis?  You wind up making a continuing effort, that continues to be 
exponentially more costly and difficult as time goes on, requiring you
to MITM (and maintain the attack on ALL OF) an exponentially increasing
number of additional targets your real person of interest comes into 
contact with (and which THEY come into contact with) that you're not
even interested in, culminating in a requirement that you escalate 
it to a full 51% attack or else it will rapidly collapse.  In the
meantime, you are operating in the certain knowledge that *UNLESS* 
you achieve that 51% attack, one minute after you stop -- or fail --
your MITM target/s will know that they've been on a bad fork the 
whole time.  

You might manage it for a while if your target sits at a desk 
and never moves, and nobody else using that blockchain drifts 
into or out of his network with a mobile or a laptop on wifi.  
But it's hard to imagine carrying it on for any length of time.

			Bear

More information about the cryptography mailing list