undefined | Better HN

0 pointsmatthew92192y ago0 comments

Clients get pre certificates (which are portions of the log) as claims in certificates. It's correct that they never download the whole log - I'm simplifying for clarity, not out of lack of understanding.

The fact remains - an adversary with a CA private key that can mitm all of the internet connections for a device can forge a fake CT log and go undetected, if that clients never uses a non-mitm network again.

0 comments

mjg592y ago

No, because the presented certificate won't have any SCT entries (which are embedded in the certificate), and you can't fake the SCT entries without having access to the CT private keys.

matthew9219OP2y ago

> you can't fake the SCT entries without having access to the CT private keys.

So... Governments like the US and China can fake the entries by using their police forces to seize the private keys?

SCT has the same set of problems as TLS - any log will do, not just logs from countries you trust.

mjg592y ago

This is why multiple SCT entries are required. Could you subvert all of this with enough effort? Yes, and the same is true of dnssec. Any form of cryptographic validation is only as secure as the control of its private keys, but modern TLS is designed to require you to compromise at least 3 independent parties in the TLS ecosystem to provide a plausible fake. And at that point why not just get the browser vendor to push a fake update to the user that disables TLS validation entirely? You're either doing all validation yourself, or you're trusting someone. Modern TLS avoids you needing to place trust in any one organisation from the TLS perspective, which makes attacks on other infrastructure components much more appealing.

2 more replies

agwa2y ago

You are almost correct. The claims are called SCTs (precertificates are something else). The SCT is a promise by the log that they have (or will soon) publish the certificate. The promise could be lie. To detect that, the client is supposed to audit the SCT. If the audit fails, the client reports it so the log can be distrusted.

So yes, it's true that if an adversary can permanently silo off a client, it can prevent log misbehavior from being detected, either by blocking the reporting of audit failures, or by presenting a completely different view of the log to to the client. However, in many cases it would be impractical for an adversary to keep up such an attack forever, so CT still has value and I'm a huge fan of it. But it's true it can't stop literally all attacks.

Source: I run the CT monitor which has detected misbehavior in multiple CT logs.

tptacek2y ago

I don't think you're providing clarity at all, because that attack doesn't work.

matthew9219OP2y ago

If you wanted to use your words to explain why you think that, that might be more constructive. I could well respond "yes, it does work" but that wouldn't be useful. I know you're an expert in the space and might appreciate learning from you, but this is not that.

tptacek2y ago

I'm sorry, but I'm declining to do that, because I recognize the message board conversational pattern where all the information you have about the subject is coming from comments rebutting you (this is apparent from things you've said already that fundamentally misapprehend how CT works), and, rather than acknowledging any of that information, you just use it as vocabulary for new misapprehensions.

nickf2y ago

Clients do not get pre-certs. Those are generated by the CA, and submitted to the log in return for an SCT. Forging a ‘fake CT log’ isn’t possible, either. Nor do clients talk to CT logs, at all.

matthew9219OP2y ago

> Forging a ‘fake CT log’ isn’t possible, either

Why do you think this isn't possible?

nickf2y ago

Aside from what mjg59 said, it's clear you don't quite understand how CT works. Logs are stood up and then go through a fairly rigorous acceptance process by Google (and Apple) before finally being used. 'Used' in that a CA can then submit pre-certs to it and include the resulting SCTs in signed certificates, making them functional on Chrome/Apple platforms. Even the CA using the log generally takes some communication with the log operator to ensure the right set of roots are trusted for submitted pre-certs.

CT logs are used by CAs, not clients. A 'fake' log isn't a thing.

1 more reply

mjg592y ago

Because they don't have access to the private key material owned by the CT logs that the browsers trust when validating SCT data in the certificate.

j / k navigate · click thread line to collapse

0 comments

mjg592y ago

No, because the presented certificate won't have any SCT entries (which are embedded in the certificate), and you can't fake the SCT entries without having access to the CT private keys.

matthew9219OP2y ago

> you can't fake the SCT entries without having access to the CT private keys.

So... Governments like the US and China can fake the entries by using their police forces to seize the private keys?

SCT has the same set of problems as TLS - any log will do, not just logs from countries you trust.

mjg592y ago

2 more replies

agwa2y ago

Source: I run the CT monitor which has detected misbehavior in multiple CT logs.

tptacek2y ago

I don't think you're providing clarity at all, because that attack doesn't work.

matthew9219OP2y ago

tptacek2y ago

nickf2y ago

matthew9219OP2y ago

> Forging a ‘fake CT log’ isn’t possible, either

Why do you think this isn't possible?

nickf2y ago

CT logs are used by CAs, not clients. A 'fake' log isn't a thing.

1 more reply

mjg592y ago

Because they don't have access to the private key material owned by the CT logs that the browsers trust when validating SCT data in the certificate.

j / k navigate · click thread line to collapse