[messaging] Gossip doesn't save Certificate Transparency

Tao Effect contact at taoeffect.com
Fri Sep 26 23:00:35 PDT 2014

In a reply to Paul on [1], and Tony on [metzdowd, awaiting mod approval], I detailed a realization that Certificate Transparency (CT), does not seem to detect certificate mis-issuance even if clients are able to successfully gossip Signed Tree Heads (STHs) as per [2].

Steve Kent noticed this problem [3] (see explanation below) in his OP to [1], although he didn't investigate whether gossip would fix it or not.

[1] http://www.ietf.org/mail-archive/web/trans/current/msg00588.html
[2] http://www.ietf.org/proceedings/90/slides/slides-90-trans-2.pdf
[3] http://www.ietf.org/mail-archive/web/trans/current/msg00534.html

Why gossip doesn't work.

The realization is that a rouge CA can do its thing and generate a fraudulent cert to MITM connections *and* log this cert to a log *and* still get away with MITM undetected even with clients gossiping STHs.

STHs are used to generate consistency proofs, but consistency proofs just tell you that you're the log you're currently looking at includes everything what you saw previously (from an older Merkle tree).

The audit proofs just tell you that a certificate exists in a log. It doesn't tell you that a certificate is fraudulent. There's nothing preventing fraudulent certs from existing in a log. The proof will tell you it's there, but it won't tell you it's fraudulent.

For more on how these proofs work, see Google's documentation here:


So now, Clog MITM's millions of users, they gossip STHs, it stops MITMing them, they see the original cert, they exchange the same STHs (which don't change just because clients see the original cert).

The only thing that could detect this are the Monitors, but they aren't going to save you because they would need to monitor *all* logs for *all* domains and alert *everyone* about those changes (difficult enough, you'd need a... b-b-b-blockchain) and get those alerts safely (without censorship or tampering) to everyone on Earth.

Game Over for Certificate Transparency?

Unless I'm mistaken, this seems to be Game Over.

Given that another human being also independently saw this problem [3], I am feeling confident enough to share this on this list.

Maybe the blockchain can save CT, but if it does, people will realize that they don't need Certificate Transparency, so it seems like game over either way.

Greg Slepak

Please do not email me anything that you are not comfortable also sharing with the NSA.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140926/ab9c7467/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140926/ab9c7467/attachment.sig>

More information about the Messaging mailing list