(no title)
Khoth | 2 years ago
So a government could MITM you but they'd have to burn a CA to do it, whether you personally noticed the attack or not, so it's a very high cost attack
Khoth | 2 years ago
So a government could MITM you but they'd have to burn a CA to do it, whether you personally noticed the attack or not, so it's a very high cost attack
tptacek|2 years ago
If a CA misissues a cert for something major, like Facebook or Google Mail, and Google or Mozilla find out, my current belief is that they'd be in for a world of hurt.
But if a CA misissued such a cert for a single specific target, without a CT SCT, neither Chrome nor Safari will report that (currently, CAs are explicitly allowed to issue non-CT-logged certs; the check on that is that Chrome and Safari won't honor that certificate --- a reason, by the way, to reconsider Firefox). If Google found out that you'd misissued a non-logged Google Mail certificate, you'd get nuked. But there's nothing currently in place to make Google find that out.
It's clear what tweaks to the system would need to occur to make this work that way it would "ideally" work, and the problems are mostly not technical; you'd just have Chrome (or Safari, or Firefox) report certs without SCTs in its default configuration. But that kind of surveillance isn't really a thing right now.
I've been cagey about this in past discussions because my understanding was that the Chrome team did do some of this kind of surveillance informally. And I believe they did --- but I'm told that stopped being a thing years ago. Now they just don't accept certs unless they're logged, and that's that.
agwa|2 years ago
It doesn't even need to be major. Misissuing for example.com and test.com were major factors in the distrust of Symantec and Certinomis, respectively.
> It's clear what tweaks to the system would need to occur to make this work that way it would "ideally" work, and the problems are mostly not technical; you'd just have Chrome (or Safari, or Firefox) report certs without SCTs in its default configuration.
This would require a pretty big paradigm shift which is hard to see happening. But as long as clients require SCTs (Firefox needs to hurry up already) this is not really necessary.
> I've been cagey about this in past discussions because my understanding was that the Chrome team did do some of this kind of surveillance informally. And I believe they did --- but I'm told that stopped being a thing years ago.
I'm pretty sure this has never been the case. I think at one point Chrome may have reported certificates for Google domains that were not issued by a Google CA, but this was unrelated to CT.
Or maybe you're thinking of the Googlebot, which logs the certificates it sees while crawling the web.
tialaramex|2 years ago
Now, of course at the moment this document is created, there's no way to be sure this claim is true. The logs are a distributed system.
Twenty four hours later, (the Maximum Merge Delay, this is a global policy decision) the log should, if you interrogate it, be able to show you a log entry matching the SCT, which traces to the agreed Merkle Tree head for that log. If it cannot, in principle that log has failed and must be distrusted. This happens (to one of the dozens of public logs, somewhere) a few times per year on average.
In principle, everybody who sees the log could agree that they see the same Merkle Tree head, thus the certificate really is logged. In practice the mechanisms to ensure this works, a Gossip protocol, do not exist and have never been deployed in practical use.
It's probably fine, but without ever completing the system as designed, it does have flaws.
agwa|2 years ago
It has been - the commercial instance of Cert Spotter gossips STHs with Chrome's SCT auditing infrastructure.
Edit: here's the gossip feed of STHs observed by Chrome's SCT auditing infrastructure: https://www.gstatic.com/ct/gossip/ct/v1/sth-pollination
And here's the gossip feed of STHs observed by Cert Spotter: https://certspotter.com/.well-known/ct/v1/sth-pollination