Re: [Trans] Call for adoption, draft-linus-trans-gossip-ct
Tom Ritter <tom@ritter.vg> Thu, 06 August 2015 15:46 UTC
Return-Path: <tom@ritter.vg>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 098C91B3060 for <trans@ietfa.amsl.com>; Thu, 6 Aug 2015 08:46:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.321
X-Spam-Level: *
X-Spam-Status: No, score=1.321 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B5a-gFxtCTcK for <trans@ietfa.amsl.com>; Thu, 6 Aug 2015 08:46:25 -0700 (PDT)
Received: from mail-ig0-x22a.google.com (mail-ig0-x22a.google.com [IPv6:2607:f8b0:4001:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FDD31B305D for <trans@ietf.org>; Thu, 6 Aug 2015 08:46:25 -0700 (PDT)
Received: by igbij6 with SMTP id ij6so13752916igb.1 for <trans@ietf.org>; Thu, 06 Aug 2015 08:46:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=L0f57EOC3DBpSulkQVcSoDDlsyzgmYfzVn2mqc+qymM=; b=4KHPOlqWfKmrhcrDIV2k02V+e+p8466/+LUYtiete1KvVWf9pZH9+QnCBSEnp58ou4 SryQsFC1R47fl6i0x67+2cbMSukRqLFhMSzKfNluWAZd5gfU5cxhuzjbFtbTv+epJ4UL cSeP82pqV4xJWHwYedMXC+kOdahLykNp3qEDc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=L0f57EOC3DBpSulkQVcSoDDlsyzgmYfzVn2mqc+qymM=; b=Se79edQPcQ37qC0tS5z/krveX+pdQBV0w8Z2y8XgLVBlUEXuEvhNZrO09BdVt6pU1z 9DxFxCJFAaMqb2m70HRbTIi3CR+lhk/+by3p61EI3fLT1QSrtRuvtJcBTR6sHR0LW6Iw Lqizco6YVJ7Feq42h/ZPQhpOtNgu55BRzIKxC3oj12jzwxbT7golqAVmHLl+8CX6XbMH 2H1HBYhbOu1nXq9erXXabK09MSOdYblDJwZg63W9d4suKW0LXwkoX/Ep4aBK3kw7ea4Y UQSflFs1opfPJgNugoeRAfNzuTa6keUBLbgAmhW/E7XscMF7mQlapnAmuayleABJIxb8 aVbg==
X-Gm-Message-State: ALoCoQm+BWM25UzAPDvZ7Wnga5YkoWYpjYdWeXCVW9e3VaQflxlyqcCt/kPiYKEtAmDcxsWOV1iw
X-Received: by 10.50.102.68 with SMTP id fm4mr4666531igb.25.1438875984478; Thu, 06 Aug 2015 08:46:24 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.71.1 with HTTP; Thu, 6 Aug 2015 08:46:04 -0700 (PDT)
In-Reply-To: <7BE2DAF1-6D52-4E6C-A00D-0F91B74B5028@gmail.com>
References: <mailman.3884.1437667800.3631.trans@ietf.org> <6E6EF479-66BE-4EBE-956C-22009BCED863@gmail.com> <CABrd9SRG-SQtADhS=hee_Zf4vzMETyZOYtqg5Xp82Dq70C0puQ@mail.gmail.com> <7BE2DAF1-6D52-4E6C-A00D-0F91B74B5028@gmail.com>
From: Tom Ritter <tom@ritter.vg>
Date: Thu, 06 Aug 2015 08:46:04 -0700
Message-ID: <CA+cU71mQK79=dVOOq14fOtG_QdeEUujRNbLN0y+0RchCOvOW6w@mail.gmail.com>
To: Bryan Ford <brynosaurus@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/trans/wTRCn8_txsR66lKdNmZySL1ScD0>
Cc: "trans@ietf.org" <trans@ietf.org>, Ben Laurie <benl@google.com>
Subject: Re: [Trans] Call for adoption, draft-linus-trans-gossip-ct
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Aug 2015 15:46:27 -0000
Thanks for this Bryan. I'm going to echo Ben a bit: On 6 August 2015 at 02:17, Bryan Ford <brynosaurus@gmail.com> wrote: > It creates new privacy problems by requiring the client (browser user) to > “opt out” of web browsing privacy in order to gain any security benefit. > Either the user hands over all his browsing history to a remote “trusted > auditor”, thereby opting out of privacy; or else the user remains fully > vulnerable to the same kind of (potentially extended) MITM attacks that > motivated CT in the first place. If the Trusted Auditor mode is a default that requires Opting Out instead of Opting In I think I speak for every author when I say we will have considered this a huge failure and will rally against it as much as we can. > Could you explain how “the system as a whole” detects such misbehavior in > the case of the state/ISP-level MITM attacker scenario? > > As I see it, if the client/browser doesn’t opt-out of privacy by gossiping > his browsing history with a trusted auditor, then the client’s *only* > connection to the rest of the world, i.e., “the system as a whole”, is > through the “web server”, which may well be the same kind of MITM attackers > that have been known to subvert the CA system. The client never gets to > communicate to the rest of the system - i.e., the legitimate CT log servers, > auditors, or monitors - and so the client never gets the opportunity to > “compare notes” with the rest of the system. And the rest of the system > (the legitimate log servers, auditors, and monitors) never have the > opportunity to learn from the client that the client saw a MITM-attacked, > forged set of CA certs, STHs, and SCTs. In SCT Feedback the only connection to disclose data about Website A is indeed website A. In STH Feedback, assuming the client can resolve a Cert to a STH via an inclusion proof (which we currently suggest via DNS, but other mechanisms can exist, such as Tor) - that STH will be pollinated to _any_ website. And the split-view log will be caught. So that's how the 'system as a whole' detects the issue. The difference is of course because the SCT is private data that reveals browsing history, the STH is not (not counting old-STH attacks which we mitigate). If an attacker can both persistently MITM someone to a website (or the whole internet) and DoS the STH lookup mechanism (and compromise a log and a CA) - yes, the attacker wins. Attackers who can persistently MITM users forever are extremely powerful and we have no way to defend against them except to make all your client software just stop working. This applies to the CA system absent CT, it requires to the CA system with CT, and it applies to software updates. If you can write exploits, but not find bugs - just wait for a patch to come out, block the update, take your leisurely time reverse engineering, writing the exploit, and using it. I don't mean to dismiss this concern, but a) I don't believe SCT Feedback and STH Pollination cause privacy problems b) This problem is so hard that no one is attempting to defend against it c) History suggests such attackers are not all-powerful. Or at least, we've caught a lot of folks who could have gotten away with it that supposedly had that capability and could have known better. > Or are you saying (contrary to my prior understanding) that Chrome requires > *all* CT certs to have multiple SCTs signed by different log servers? As Ben said, the end goal is to use it for everything. I don't know when we'll get there, but in the interim there will probably be a period of opt-in: https://ritter.vg/blog-require_certificate_transparency.html > But isn’t that precisely what happened in the prior COMODO and DigiNotar > cases, where the MITM attacks were detected only when a few more > security-conscious users compared the certificates they were seeing against > what the rest of the world was seeing through nonstandard “side-channels”? http://wiki.cacert.org/Risk/History and my recollection indicates DigiNotar - Chrome Pinning google.com TurkTrust - Chrome Pinning google.com ANSSI - Chrome Pinning google.com India CCA - Chrome Pinning google.com CNNIC - that website indicates it was CT that caught it, but I think that's a misunderstanding it was again Chrome Pinning google.com The Comodo incident you reference, was that the mozilla.com cert in 2008? That was someone just trying a RA portal and getting a cert: http://www.theregister.co.uk/2008/12/29/ca_mozzilla_cert_snaf/ Despite all the effort to find such certs manually, via MEKAI, Perspectives, Convergence, Cert Patrol, and others - I'm not aware of anyone ever catching a CA-signed misissued cert manually. > With the multi-SCT approach, the amount of bandwidth consumed during TLS > negotiation with every CT-supporting website increases linearly with n. > With the scalable multisignature approach, n can increase to arbitrarily > large size - a hundred, a thousand if needed - e.g., including all the > public auditors, monitors, etc. - without any increase in the size of > certificates, number of SCTs attached, or ultimately the bandwidth/latency > overhead during TLS negotiation. While we aim to keep SCTs small as Ben indicated - yes, sending 10 would be quite a bit. I'm not sure of a great answer here.. I think the onus is kind of on the community to curate and run a fewer number of high-quality, mutually distrusting, different-juristictional logs. > 2. Our original design for CT did indeed have certs served along with an STH > and an inclusion proof. Unfortunately, CAs categorically rejected this > approach because of the latency it introduced in the certificate issuance > process. Personally, I think it would be a better approach. Now CAs are more > accepting of CT, perhaps it would be worth revisiting the question with > them? > > > Agreed, that would be great. I am most excited about the prospect of sending an inclusion proof to a recent STH to the client - but I don't actually think the cert is the answer. I think it's a TLS extension or (better) an OCSP staple. Doing this would eliminate what I think is the weakest part of the gossip document - the requirement to obtain a STH from a SCT (well a cert) via some 'privacy preserving manner'. (Which we, again, theorize to be DNS, but I don't think that's the answer for everyone.) If the STH was included in the Cert, that doesn't really change the game for me. 1) The STH could be a STH on the split view of the log, so the immediate-decision security is no better that just sending a SCT. 2) The STH is too old. I don't want clients pollinate old STHs, because as time goes on, old STHs will be rarer and will be indicative of what website you visited. After 2.5 years there will only be 100? 1000? popular websites with that STH in the cert. So the old STH needs to be resolved to a recent STH, and you pollinate _that_. -tom
- [Trans] Call for adoption, draft-linus-trans-goss… Melinda Shore
- Re: [Trans] Call for adoption, draft-linus-trans-… Salz, Rich
- Re: [Trans] Call for adoption, draft-linus-trans-… Eran Messeri
- Re: [Trans] Call for adoption, draft-linus-trans-… Rob Stradling
- Re: [Trans] Call for adoption, draft-linus-trans-… Bryan Ford
- Re: [Trans] Call for adoption, draft-linus-trans-… Dmitry Belyavsky
- Re: [Trans] Call for adoption, draft-linus-trans-… Ben Laurie
- Re: [Trans] Call for adoption, draft-linus-trans-… Rob Stradling
- Re: [Trans] Call for adoption, draft-linus-trans-… Tom Ritter
- [Trans] Fwd: Call for adoption, draft-linus-trans… Melinda Shore
- Re: [Trans] Fwd: Call for adoption, draft-linus-t… Salz, Rich
- Re: [Trans] Fwd: Call for adoption, draft-linus-t… Tim Wicinski
- Re: [Trans] Fwd: Call for adoption, draft-linus-t… Leif Johansson
- Re: [Trans] Call for adoption, draft-linus-trans-… Bryan Ford
- Re: [Trans] Call for adoption, draft-linus-trans-… Ben Laurie
- Re: [Trans] Call for adoption, draft-linus-trans-… Tom Ritter
- Re: [Trans] Call for adoption, draft-linus-trans-… Karen Seo
- Re: [Trans] Call for adoption, draft-linus-trans-… Bryan Ford
- Re: [Trans] Call for adoption, draft-linus-trans-… Bryan Ford
- Re: [Trans] Call for adoption, draft-linus-trans-… Ben Laurie
- Re: [Trans] Call for adoption, draft-linus-trans-… Ben Laurie
- Re: [Trans] Call for adoption, draft-linus-trans-… Rob Stradling
- Re: [Trans] Call for adoption, draft-linus-trans-… Tom Ritter
- [Trans] CT "Lite" idea (was Re: Call for adoption… Rob Stradling
- Re: [Trans] Call for adoption, draft-linus-trans-… Ben Laurie
- Re: [Trans] Call for adoption, draft-linus-trans-… Bryan Ford
- Re: [Trans] Call for adoption, draft-linus-trans-… Ben Laurie
- Re: [Trans] Call for adoption, draft-linus-trans-… Bryan Ford
- Re: [Trans] Call for adoption, draft-linus-trans-… Ben Laurie