Re: [therightkey] The Trouble with Certificate Transparency

2014-09-30 Thread Nico Williams

First, no protocol can really protect you from MITM attacks when you
can't have pre-shared key material a priori.

Second, CT helps primarily by increasing the risk of MITMing CAs (and
logs) getting caught.

Anything that increases that risk will tend to make the CAs (and logs)
less willing to act as or cooperate with MITMs.

Sure, targeted attacks might succeed, but they might fail (e.g., they
might be detected after the fact), with all the consequences that that
entails (at least reputational damage).

Now consider a world where we opportunistically encrypt (and
authenticate, where possible).  In such a world targeted attacks get
much harder: because the attacker might have to MITM non-targets'
connections in order to find the target's connections.  The risk to the
attacker then grows quite a bit (hard to quantify), and the attacker
then has to do much more work to reduce their risk.

All of the above is not nothing.  It's a lot.  It might be enough to
greatly improve security on the Internet all around.  IMO it will be.

Nico
-- 

___
therightkey mailing list
therightkey@ietf.org
https://www.ietf.org/mailman/listinfo/therightkey


Re: [therightkey] The Trouble with Certificate Transparency

2014-09-29 Thread Paul Wouters

On Fri, 26 Sep 2014, Tao Effect wrote:


I pointed out back then that gossip was essential if this attack is to have any 
hope of being
detected, and I am still waiting for those details.


The trans working group decided to split the gossip protocol from the
main draft and work on it seperately. Seeing that you have some ideas
on how it should be implemented, perhaps you're willing to participate
in its protocol design?

Paul (trans wg co-chair)

___
therightkey mailing list
therightkey@ietf.org
https://www.ietf.org/mailman/listinfo/therightkey


Re: [therightkey] The Trouble with Certificate Transparency

2014-09-26 Thread Tao Effect
Dear Dmitry,

Thank you for the reply.

On Sep 25, 2014, at 6:40 AM, Dmitry Belyavsky  wrote:

> If I understand correctly, it should be prevented by Auditors and the gossip 
> protocol (yes, I understand it is not specified in fact). Auditors and gossip 
> protocol are designed for solving precisely this case.

Well, please reply with the details of gossip.

This blog post was simply a more formal way of restating an email I'd brought 
up on [trans] back in May.

I pointed out back then that gossip was essential if this attack is to have any 
hope of being detected, and I am still waiting for those details.

> And, BTW, if we ask for more than one SCT in the cert as Ben does, the attack 
> becomes much more difficult even for the perfect MITM.


Define "much more"? If we're dealing with "the perfect MITM", they might own 
one of the CAs, and then only need to send an NSL to another (or hack another). 
Not too difficult for "the perfect MITM".

Kind regards,
Greg Slepak

--
Please do not email me anything that you are not comfortable also sharing with 
the NSA.



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
therightkey mailing list
therightkey@ietf.org
https://www.ietf.org/mailman/listinfo/therightkey


Re: [therightkey] The Trouble with Certificate Transparency

2014-09-25 Thread Dmitry Belyavsky
Hello,

I'm sorry, I do not understand the idea of providing different trees and
proofs to different parties.

If I understand correctly, it should be prevented by Auditors and the
gossip protocol (yes, I understand it is not specified in fact). Auditors
and gossip protocol are designed for solving precisely this case.
The other possibility is that the Merkle tree is not neither append-only
nor verifiable.

We should have an perfect MITM that can intercept all the communications by
the victim and her/his software to turn this scenario into real life.

And, BTW, if we ask for more than one SCT in the cert as Ben does, the
attack becomes much more difficult even for the perfect MITM.

Thank you!


On Wed, Sep 24, 2014 at 10:18 PM, Tao Effect  wrote:

> Dear [therightkey] list,
>
> This post explains how undetected MITM attacks still remain possible even
> if Google's Certificate Transparency (CT) becomes widely deployed, and it
> dissects many of Google's false and misleading claims about it.
>
> Many thanks go to Zaki (@zmanian), Simon (@simondlr) and others to
> reviewing it prior to publication:
>
>
> http://blog.okturtles.com/2014/09/the-trouble-with-certificate-transparency/
>
> Kind regards,
> Greg
>
> --
> Please do not email me anything that you are not comfortable also sharing with
> the NSA.
>
>
> ___
> therightkey mailing list
> therightkey@ietf.org
> https://www.ietf.org/mailman/listinfo/therightkey
>
>


-- 
SY, Dmitry Belyavsky
___
therightkey mailing list
therightkey@ietf.org
https://www.ietf.org/mailman/listinfo/therightkey