[messaging] Gossip doesn't save Certificate Transparency
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Sat Sep 27 22:47:27 PDT 2014
Chris Palmer <snackypants at gmail.com> writes:
>On Saturday, September 27, 2014, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
>> That's always puzzled me about CT, who is going to monitor these logs, and why
>> would they bother? This seems to be built from the same fallacy as "open-
>> source code is more secure because lots of people will be auditing the code
>> for security bugs".
>
>It's a simple matter of a shell script to scan logs for misissuance for names
>you care about. Google certainly cares, EFF and other activist organizations,
>PayPal, Facebook, ...
So in other words it'll help the organisations who are already more or less
covered by certificate pinning (except that CT does it in a really roundabout,
complex manner rather than directly at the source as pinning does).
Looking at what CT gives you, there seem to be three scenarios to cover:
1. Cert issued for Google or Paypal.
2. Cert issued for First Bank of Podunk.
3. Cert issued for www.verify-chase-credit-card.com.
Case #1 is already handled by pinning, and cases #2 and #3 won't be helped
through CT. So CT will end up solving the browser PKI problem in the same way
that SPF solved the spam problem.
It is a lot of fun to theorise about and debate, as the ongoing discussions
have more than proven, but it's not going to be a lot of use if the attackers
don't even notice it's there.
>But as Trevor says, we are off topic now...
I think trying to determine whether a purported crypto solution to a problem
will actually solve it is definitely on-topic, but just in case I've cross-
posted to the cryptography list, and people can edit followups as required.
Peter.
More information about the Messaging
mailing list