[messaging] yet another CT thread

elijah elijah at riseup.net
Fri Oct 3 23:28:12 PDT 2014

On 10/03/2014 07:02 PM, Tao Effect wrote:

> The other is simply the traditional TLS MITM attack wherein a CA
> issues a fraudulent cert (the primary impetus for CT). .... None of
> CT’s proofs (audit or consistency proofs) will detect mis-issuance of
> a certificate by a rogue CA, not even if gossip of STHs
> (signed-tree-heads) successfully occurs.

Is this not, at its heart, the same issue we have been discussing here
at length? Namely, that ultimately only you know the correct key for
you. This is true for server keys, and true for user keys.

Personally, I am comfortable with this limitation when it comes to
traditional CT but have doubts with it when it comes to CT-like user key
system. It seems more reasonable to expect sysadmins to practice higher
diligence and know what to do with a funky log. Also, third parties have
more opportunities for auditing since they can just ask the server at
any time what key the server is using. Obviously, this doesn't help if
all connections to a server are MiTM'ed, but it is useful otherwise.

On 10/03/2014 07:02 PM, Tao Effect wrote:

>> (1) do you agree that once correctly authenticated connections are
>> established with monitors that future mitm will be prevented (connection
>> will fail close, system will refuse to work)?
> I'm not sure what you mean by "future mitm" (could you elaborate? is
> this referring to before-the-fact? for the same website? same MITM?).

I mean, a mitm between an auditor and a monitor that takes place at some
point in time after the auditor and the monitor have successfully
communicated without interference.


More information about the Messaging mailing list