[Trans] Gossiping in CT

Linus Nordberg <linus@nordu.net> Sat, 27 September 2014 13:35 UTC

Return-Path: <linus@nordu.net>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id BDAD81A1B24 for <trans@ietfa.amsl.com>; Sat, 27 Sep 2014 06:35:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.829
X-Spam-Level: *
X-Spam-Status: No, score=1.829 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_SE=0.35, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 7cJhHEL2E3Br for <trans@ietfa.amsl.com>; Sat, 27 Sep 2014 06:35:16 -0700 (PDT)
Received: from e-mailfilter02.sunet.se (e-mailfilter02.sunet.se [IPv6:2001:6b0:8:2::202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E07431A1B18 for <trans@ietf.org>; Sat, 27 Sep 2014 06:35:15 -0700 (PDT)
Received: from smtp1.nordu.net (smtp1.nordu.net [IPv6:2001:948:4:6::32]) by e-mailfilter02.sunet.se (8.14.4/8.14.4/Debian-4) with ESMTP id s8RDZDSb016599 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <trans@ietf.org>; Sat, 27 Sep 2014 15:35:13 +0200
Received: from kerio.nordu.net (kerio.nordu.net []) by smtp1.nordu.net (8.14.7/8.14.7) with ESMTP id s8RDZAuR019810 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <trans@ietf.org>; Sat, 27 Sep 2014 13:35:13 GMT
VBR-Info: md=nordu.net; mc=all; mv=swamid.se
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nordu.net; s=default; t=1411824913; bh=bPkIC9Im4iY9I8sNJ1sJuruV6HpI3pSx64hqI7dRKhs=; h=From:To:Subject:Date; b=VYwsKrsGiI0mRnMoVN17j0HowrwgGv3G6xHjcoVjfvwkUadzZlH1HdQONb92YS1Js 5lkeHzJNnWmkzD7f3UIbSayVrvLjlizj4V08vJ1Dozshy3SSndN+MTmHFEYcMv2nn2 Lx/NEC1U3BpMIjdaCrj8Ab5hJqi4dsVqjfGP2B8Y=
X-Footer: bm9yZHUubmV0
Received: from flogsta.nordberg.se ([]) (authenticated user linus@nordu.net) by kerio.nordu.net (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) for trans@ietf.org; Sat, 27 Sep 2014 15:35:13 +0200
From: Linus Nordberg <linus@nordu.net>
To: trans@ietf.org
Organization: NORDUnet A/S
Date: Sat, 27 Sep 2014 15:36:17 +0200
Message-ID: <878ul5tcby.fsf@nordberg.se>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Scanned-By: CanIt (www . roaringpenguin . com)
X-Scanned-By: MIMEDefang 2.74 on
X-p0f-Info: os=unknown unknown, link=Ethernet or modem
X-CanIt-Geo: ip=; country=SE; latitude=62.0000; longitude=15.0000; http://maps.google.com/maps?q=62.0000,15.0000&z=6
X-CanItPRO-Stream: outbound-nordu-net:outbound (inherits from outbound-nordu-net:default, nordu-net:default, base:default)
X-Canit-Stats-ID: 0aMUdzdeX - 10b35b82c935 - 20140927
X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/gsGgoqEn-lrm0KxGrYbXwUiY6CM
Subject: [Trans] Gossiping in CT
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Sep 2014 13:35:19 -0000


This gossiping that people is talking about, what is it? Here's a
summary of what I think some people mean when they say gossip and what
problem this thing tries to solve. It's based on a few IETF-related
documents and not the full picture. I'd be interested to hear what other
people read into the concept of gossiping in CT

A CT log which is audited and monitored without complaints can still
mount a partitioning attack on its clients. The easiest case, from the
logs perspective, is to divide the clients in two sets and serve them
two different views of the log. So set A sees view A and set B sees view

If a client in one set sees an STH from a view meant for another set, it
could conclude that the log is misbehaving since the log cannot produce
a consistency proof between STH(A) and STH(B). (Unless A and B are forks
from a tree splitting at the older of the two tree heads, but then
they'd technically not be different views.)

The same is true for a client seeing an SCT from one view and an STH
from another because the log cannot produce an inclusion proof of an
entry in A being part of STH(B).

Gossiping then is the spreading of information about a given log, aiming
to cross the potential boundaries between different sets of clients of
that log.

* Whom to gossip with

In order to maximise the chance of crossing a border between to sets of
clients in a partitioning attack, clients should try to talk with as
many different clients as possible.

* What to gossip

The more information shared, the better detection we seem to get. But
sharing information have privacy implications. It seems to me that
sharing STH's is much less problematic than sharing SCT's.

Showing someone an STH will reveal that you've been receiving data,
directly or indirectly, from a given log as late as 'timestamp'. (The
log is not identified more than with a tree hash and a signature but
that's enough for confirming a given log, given access to it and its
public key.) The increase in fingerprintability that CT gossiping of
STH's would add would depend on the deployment of CT support in browsers
and how browser vendors select which logs to use.

Showing someone an SCT will reveal that you've received data about a
given site (through the x509 certificate) from a given log (through the
LogID) no later than a given time (timestamp). This might be a strong
indication that you've visited that site but this depends on how other
clients behave.

It's been suggested that STH's are to be gossiped. The question about
which STH's to gossip about has not been answered.

* How to gossip

It's been suggested that web browsers should use TLS connections to web
servers for gossiping. One argument for that is that this makes the
attack of blocking the gossiping messages hard to get away with without
people noticing because it means blocking TLS to all servers

This can hopefully be useful as a starting point for discussing
gossiping in trans.