Re: [therightkey] The Trouble with Certificate Transparency
First, no protocol can really protect you from MITM attacks when you can't have pre-shared key material a priori. Second, CT helps primarily by increasing the risk of MITMing CAs (and logs) getting caught. Anything that increases that risk will tend to make the CAs (and logs) less willing to act as or cooperate with MITMs. Sure, targeted attacks might succeed, but they might fail (e.g., they might be detected after the fact), with all the consequences that that entails (at least reputational damage). Now consider a world where we opportunistically encrypt (and authenticate, where possible). In such a world targeted attacks get much harder: because the attacker might have to MITM non-targets' connections in order to find the target's connections. The risk to the attacker then grows quite a bit (hard to quantify), and the attacker then has to do much more work to reduce their risk. All of the above is not nothing. It's a lot. It might be enough to greatly improve security on the Internet all around. IMO it will be. Nico -- ___ therightkey mailing list therightkey@ietf.org https://www.ietf.org/mailman/listinfo/therightkey
Re: [therightkey] The Trouble with Certificate Transparency
On Fri, 26 Sep 2014, Tao Effect wrote: I pointed out back then that gossip was essential if this attack is to have any hope of being detected, and I am still waiting for those details. The trans working group decided to split the gossip protocol from the main draft and work on it seperately. Seeing that you have some ideas on how it should be implemented, perhaps you're willing to participate in its protocol design? Paul (trans wg co-chair) ___ therightkey mailing list therightkey@ietf.org https://www.ietf.org/mailman/listinfo/therightkey
Re: [therightkey] The Trouble with Certificate Transparency
Dear Dmitry, Thank you for the reply. On Sep 25, 2014, at 6:40 AM, Dmitry Belyavsky wrote: > If I understand correctly, it should be prevented by Auditors and the gossip > protocol (yes, I understand it is not specified in fact). Auditors and gossip > protocol are designed for solving precisely this case. Well, please reply with the details of gossip. This blog post was simply a more formal way of restating an email I'd brought up on [trans] back in May. I pointed out back then that gossip was essential if this attack is to have any hope of being detected, and I am still waiting for those details. > And, BTW, if we ask for more than one SCT in the cert as Ben does, the attack > becomes much more difficult even for the perfect MITM. Define "much more"? If we're dealing with "the perfect MITM", they might own one of the CAs, and then only need to send an NSL to another (or hack another). Not too difficult for "the perfect MITM". Kind regards, Greg Slepak -- Please do not email me anything that you are not comfortable also sharing with the NSA. signature.asc Description: Message signed with OpenPGP using GPGMail ___ therightkey mailing list therightkey@ietf.org https://www.ietf.org/mailman/listinfo/therightkey
Re: [therightkey] The Trouble with Certificate Transparency
Hello, I'm sorry, I do not understand the idea of providing different trees and proofs to different parties. If I understand correctly, it should be prevented by Auditors and the gossip protocol (yes, I understand it is not specified in fact). Auditors and gossip protocol are designed for solving precisely this case. The other possibility is that the Merkle tree is not neither append-only nor verifiable. We should have an perfect MITM that can intercept all the communications by the victim and her/his software to turn this scenario into real life. And, BTW, if we ask for more than one SCT in the cert as Ben does, the attack becomes much more difficult even for the perfect MITM. Thank you! On Wed, Sep 24, 2014 at 10:18 PM, Tao Effect wrote: > Dear [therightkey] list, > > This post explains how undetected MITM attacks still remain possible even > if Google's Certificate Transparency (CT) becomes widely deployed, and it > dissects many of Google's false and misleading claims about it. > > Many thanks go to Zaki (@zmanian), Simon (@simondlr) and others to > reviewing it prior to publication: > > > http://blog.okturtles.com/2014/09/the-trouble-with-certificate-transparency/ > > Kind regards, > Greg > > -- > Please do not email me anything that you are not comfortable also sharing with > the NSA. > > > ___ > therightkey mailing list > therightkey@ietf.org > https://www.ietf.org/mailman/listinfo/therightkey > > -- SY, Dmitry Belyavsky ___ therightkey mailing list therightkey@ietf.org https://www.ietf.org/mailman/listinfo/therightkey