Re: [Trans] [Cryptography] Certificate transparency on blockchains

Tao Effect <contact@taoeffect.com> Fri, 27 March 2015 07:12 UTC

Return-Path: <contact@taoeffect.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6B231A8F3E for <trans@ietfa.amsl.com>; Fri, 27 Mar 2015 00:12:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.334
X-Spam-Level:
X-Spam-Status: No, score=-1.334 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w4ou368BRWaF for <trans@ietfa.amsl.com>; Fri, 27 Mar 2015 00:12:04 -0700 (PDT)
Received: from homiemail-a2.g.dreamhost.com (homie.mail.dreamhost.com [208.97.132.208]) by ietfa.amsl.com (Postfix) with ESMTP id 2A01E1A8BB3 for <trans@ietf.org>; Fri, 27 Mar 2015 00:12:04 -0700 (PDT)
Received: from homiemail-a2.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a2.g.dreamhost.com (Postfix) with ESMTP id BD3BD280070; Fri, 27 Mar 2015 00:12:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=taoeffect.com; h= content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; s=taoeffect.com; bh=0rqo7djf0e92cfPq3 doeZ+cDvmU=; b=QaIWosVSSbPDI8Yk5QnsDcppTMh06lCtIAOCDarDNf5GSDcoS 2pkO8mz/Hcg8GZ+p8jUrdhMPKhefOACB9nN2FeqliR2ZCGAh+VCLTdY6e3TfqgYH 4Uc2qM5NWBtRfoMs0dbDZ5nPlIhEA9Zt2BuomjyOu3MNoHdY5lSIvRKWzg=
Received: from [192.168.1.8] (50-0-163-72.dsl.dynamic.fusionbroadband.com [50.0.163.72]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: contact@taoeffect.com) by homiemail-a2.g.dreamhost.com (Postfix) with ESMTPSA id BD52528006D; Fri, 27 Mar 2015 00:12:02 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_3386114A-CD54-475C-937E-02489787AC6E"; protocol="application/pgp-signature"; micalg=pgp-sha512
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
X-Pgp-Agent: GPGMail 2.5b6
From: Tao Effect <contact@taoeffect.com>
In-Reply-To: <CA+cU71=7G5ZJMx3Vy+gXN00JpB61_6C+DLQRyCS=Hcq3vLR-Sg@mail.gmail.com>
Date: Fri, 27 Mar 2015 00:12:01 -0700
X-Mao-Original-Outgoing-Id: 449133120.886007-2003c5fbcf919afd5c41a9ccdccbfaf3
Message-Id: <CE157D3A-079C-4B09-B138-C21FD9D1FB03@taoeffect.com>
References: <007F2B41-C78E-4332-8206-7E4CB27A638B@kinostudios.com> <alpine.LFD.2.10.1503252231110.16175@bofh.nohats.ca> <2A773227-61C8-4196-8AFF-EC288A8AF150@kinostudios.com> <CA+cU71=7G5ZJMx3Vy+gXN00JpB61_6C+DLQRyCS=Hcq3vLR-Sg@mail.gmail.com>
To: Tom Ritter <tom@ritter.vg>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/trans/B555nGswFp0tpQ111N649tzilgU>
Cc: Paul Wouters <paul@cypherpunks.ca>, "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] [Cryptography] Certificate transparency on blockchains
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Mar 2015 07:12:06 -0000

(re-sending from the email I use with [trans].)

Thanks Tom for the very helpful reply.

Thinking this through a bit more, I remember again something that was previously discussed about this technique.

The document does say that clients MUST send the certificate chain back to servers, and that's good, because if that's the case, shouldn't that be enough on its own for servers to detect that a MITM attack occurred (after the MITM leaves)?

If that is so, it seems like a point worth highlighting in the document. It would completely address our concerns about CT's ability to detect MITM attacks post-facto.

Greg

--
Please do not email me anything that you are not comfortable also sharing with the NSA.

--
Please do not email me anything that you are not comfortable also sharing with the NSA.

On Mar 26, 2015, at 6:18 PM, Tom Ritter <tom@ritter.vg> wrote:

> On 26 March 2015 at 15:45, Greg <greg@kinostudios.com> wrote:
>> Reading over it, I still have several concerns, which I will voice here but
>> let me know if it would be better to also voice them on [trans].
> 
> It would be better to voice them on trans, which I am copying.  I
> suggest we move it there for follow-ups.
> 
> 
>> In Section 3.1.1, it says:
>> 
>> <begin>
>> 
>> HTTPS servers MUST perform a number of sanity checks on SCTs from
>>   clients before storing them:
>> 
>>   1.  if a bit-wise compare of the SCT matches one already in the
>>       store, discard
>> 
>>   2.  if the SCT can't be verified to be a valid SCT for the
>>       accompanying leaf cert, issued by a known log, discard
>> 
>>   3.  if the leaf cert is not for a domain that the server is
>>       authoritative for, discard
>> 
>>   Check number 1 is a pure optimisation.  Check number 2 is to prevent
>>   spamming and attacks where an adversary can fill up the store prior
>>   to attacking a client.  Check number 3 is to help misbehaving clients
>>   from leaking what sites they visit.
>> 
>> </end>
>> 
>> Concern #1: Discarding invalid SCTs
>> ============================
>> 
>> It is not clear to me what's going on in (2) above.
>> 
>> Specifically:
>> 
>> - How is the server verifying the SCT for validity?
> 
> 
> It checks if the signature over the data is valid.
> 
> 
>> - Why is the server discarding the SCT if it is invalid?
>> 
>> Wouldn't discarding an invalid SCT totally undermine the point of clients
>> sharing them?
> 
> 
> Keeping data for an invalid signature (or a signature for a log which
> I do not recognize and thus don't have the public key) would allow
> clients to store arbitrary data on your server. Complex rate-limiting
> and DoS concerns now apply.
> 
> 
> 
>> Concern #2: The use of the word SHOULD
>> =================================
>> 
>> The doc states:
>> 
>> (with ref to server => auditor comms):
>> <begin>
>> 
>> HTTPS servers SHOULD share all SCTs and certificate data they see
>>   that pass the checks above
>> 
>> </end>
>> 
>> <begin>
>> 
>> Auditors SHOULD provide the following URL accepting HTTPS POSTing of
>>   SCT feedback data:
>> 
>> </end>
>> 
>> <begin>
>> 
>> Auditors SHOULD regularly poll HTTPS servers at the well-known sct-
>>   feedback URL.  How to determine which domains to poll is outside the
>>   scope of this document
>> 
>> 
>> </end>
>> 
>> 
>> As per RFC2119, "SHOULD" means the advice is free to be ignored after the
>> implications are "carefully weighed".
>> 
>> This means that so far the document provides no guarantees that a
>> misbehaving log will be caught.
> 
> 
> Yup. We can't force anyone to participate unfortunately.  A client
> _can_ opt-in to using a trusted auditor and send SCTs to them, which
> then mitigates the concerns over a server not participating.  But I
> will note that if a server does not participate they are essentially
> opening themselves to attacks by logs. So they have an incentive to
> participate.
> 
> 
>> It is also disconcerting that instead of taking direct action themselves,
> 
> 
> There is nothing stopping a server from being an auditor and detecting
> log misbehavior.  I suppose we could add a note in the draft to that
> effect, but it's a pretty weighty option I imagine most people will
> not pursue.
> 
> 
>> servers are supposed to initiate yet another HTTPS connection to an auditor.
> 
> 
> (nit: Server can instead just make the SCTs available for auditors to
> query and retrieve from them. Server doesn't have to initiate outbound
> requests.)
> 
> 
>> This is cumbersome and will probably leave open holes for a global MITM to
>> prevent SCTs from reaching auditors, yet again undermining the entire point
>> of sharing SCTs.
> 
> 
> Yes, an attacker who can persistently isolate a client or server from
> the rest of the internet is powerful, and is difficult to defeat. We
> do not defend against such an attacker. I'm open to suggestions here,
> but none really came to me.
> 
> 
>> While it's definitely a positive sign that the sharing of SCTs and
>> certificate chains is now an official recommendation, I am concerned that
>> the particular implementation is without any teeth to deliver concrete
>> results, and so until these concerns are addressed I am not convinced that
>> the problem has been fully addressed.
> 
> 
> That's fair.  There are limitations to the draft, to be sure - but
> balancing the very difficult privacy concerns of literally
> broadcasting the websites you've visited is also important.
> 
> 
> -tom
> _______________________________________________
> The cryptography mailing list
> cryptography@metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography