Hi, This gossiping that people is talking about, what is it? Here's a summary of what I think some people mean when they say gossip and what problem this thing tries to solve. It's based on a few IETF-related documents and not the full picture. I'd be interested to hear what other people read into the concept of gossiping in CT
A CT log which is audited and monitored without complaints can still mount a partitioning attack on its clients. The easiest case, from the logs perspective, is to divide the clients in two sets and serve them two different views of the log. So set A sees view A and set B sees view B. If a client in one set sees an STH from a view meant for another set, it could conclude that the log is misbehaving since the log cannot produce a consistency proof between STH(A) and STH(B). (Unless A and B are forks from a tree splitting at the older of the two tree heads, but then they'd technically not be different views.) The same is true for a client seeing an SCT from one view and an STH from another because the log cannot produce an inclusion proof of an entry in A being part of STH(B). Gossiping then is the spreading of information about a given log, aiming to cross the potential boundaries between different sets of clients of that log. * Whom to gossip with In order to maximise the chance of crossing a border between to sets of clients in a partitioning attack, clients should try to talk with as many different clients as possible. * What to gossip The more information shared, the better detection we seem to get. But sharing information have privacy implications. It seems to me that sharing STH's is much less problematic than sharing SCT's. Showing someone an STH will reveal that you've been receiving data, directly or indirectly, from a given log as late as 'timestamp'. (The log is not identified more than with a tree hash and a signature but that's enough for confirming a given log, given access to it and its public key.) The increase in fingerprintability that CT gossiping of STH's would add would depend on the deployment of CT support in browsers and how browser vendors select which logs to use. Showing someone an SCT will reveal that you've received data about a given site (through the x509 certificate) from a given log (through the LogID) no later than a given time (timestamp). This might be a strong indication that you've visited that site but this depends on how other clients behave. It's been suggested that STH's are to be gossiped. The question about which STH's to gossip about has not been answered. * How to gossip It's been suggested that web browsers should use TLS connections to web servers for gossiping. One argument for that is that this makes the attack of blocking the gossiping messages hard to get away with without people noticing because it means blocking TLS to all servers participating. This can hopefully be useful as a starting point for discussing gossiping in trans. _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
