how does CT protect against targeted attacks?

61 views
Skip to first unread message

Irene Trujillo

unread,
Sep 28, 2015, 3:59:38 PM9/28/15
to certificate-transparency
From http://www.certificate-transparency.org/comparison ...
TA (Detects targeted attack): if the server is replaced by an evil server (or MitM) for one person or a small number of people, can the protocol protect those people?
Certificate Transparency: Yes

I have not been able to figure out how users are protected from targeted attacks -- could someone explain?

It seems to me that, for example, Hypothetical Hacker Group (or HHG) could compromise Hypothetical Certificate Authority (HCA) and Hypothetical Certificate Transparency Log (HCTL) and then serve an SCT from HCTL only to John Doe; if John Doe's browser even bothers to check HCTL to confirm that the certificate exists there, HCTL could simply serve a different log/hash for John Doe's request.

How is John Doe protected from this scenario? How is this any different from compromises to CAs in the past?

I will appreciate your time in addressing my question :-)

Adam Eijdenberg

unread,
Sep 29, 2015, 12:27:43 AM9/29/15
to certificate-transparency
Under a CT model*, if a CA alone is compromised, the attacker will need to write the misissued certificate to at least 2 publicly trusted logs in order to convince John that the certificate is legitimate.

Here any interested party (in particular the site-owner) can monitor the logs and take appropriate action with the CA if they detect a misissued certificate.  This differs from today, where in the event of a CA compromise, neither the site-owner nor other parties are able to detect misissuance.

If the attacker also deeply compromises at least 2 publicly trusted CT logs (in addition to the CA) and is able to temporarily present split-views to the client, then this is where gossip of STHes and/or SCTs comes into play, the exact details of which are still be worked out, the latest draft can be found here: https://tools.ietf.org/html/draft-linus-trans-gossip-ct-02.

The key goal of CT isn't to directly prevent a MITM attack (since compromising a CA alone will produce a cert that an attacker can send to logs to get SCTs), but rather to deter them by making such attacks easily detectable.  To do so CT brings transparency to the operations of both CAs and logs such that any party can verify the correct operation of these trusted parties.  In doing so we move the internet forward from the existing "trust" model to a "trust, but verify".

* For this we assume the browser requires at least 2 SCTs be present for all certificates, similar to Chrome's current policy for EV certificates.
 

I will appreciate your time in addressing my question :-) 

--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages