[messaging] Gossip doesn't save Certificate Transparency

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sat Sep 27 22:47:27 PDT 2014

Chris Palmer <snackypants at gmail.com> writes:

>On Saturday, September 27, 2014, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
>> That's always puzzled me about CT, who is going to monitor these logs, and why
>> would they bother?  This seems to be built from the same fallacy as "open-
>> source code is more secure because lots of people will be auditing the code
>> for security bugs".
>It's a simple matter of a shell script to scan logs for misissuance for names
>you care about. Google certainly cares, EFF and other activist organizations,
>PayPal, Facebook, ...

So in other words it'll help the organisations who are already more or less
covered by certificate pinning (except that CT does it in a really roundabout,
complex manner rather than directly at the source as pinning does).

Looking at what CT gives you, there seem to be three scenarios to cover:

1. Cert issued for Google or Paypal.
2. Cert issued for First Bank of Podunk.
3. Cert issued for www.verify-chase-credit-card.com.

Case #1 is already handled by pinning, and cases #2 and #3 won't be helped
through CT.  So CT will end up solving the browser PKI problem in the same way
that SPF solved the spam problem.

It is a lot of fun to theorise about and debate, as the ongoing discussions
have more than proven, but it's not going to be a lot of use if the attackers
don't even notice it's there.

>But as Trevor says, we are off topic now...

I think trying to determine whether a purported crypto solution to a problem
will actually solve it is definitely on-topic, but just in case I've cross-
posted to the cryptography list, and people can edit followups as required.


More information about the Messaging mailing list