<i>33c3 opening theme music</i>

Herald: I'm excited to be here, I guess
you are too. We will get started with our

first talker for the day. He is a security
researcher at SBA Research, and he's also

a member of CCC Vienna. The talk we'll be
hearing today is "Everything you always

wanted to know about Certificate
Transparency" and with that, I will pass

on the stage, please give a warm welcome
to Martin Schmiedecker!

<i>applause</i>

Martin: Thank you very much for these kind
words and this very nice introduction.

As Ari said, I'm a member of CCC Vienna,
I'm also on twitter, so if you have a

comment afterwards, or want to ping me, if
you find a typo in the slides, or

whatever, just ping me on twitter.

So, what is this talk about? What are we going

to talk about? Certificate Transparency
is kind of a new thing in the TLS

ecosystem so not many people are familiar
that it is here. So I will present the

overview, what is CT and what it does and
will also peek under the hood and see what

it actually does, how it works, and how
you can play with it. So one of the things

I have to say about myself: I'm a keen fan
of Internet memes. So even though these

are hilarious pictures. Personally I find
hilarious pictures that I put online. Keep

in mind that HTTPS is a serious topic.
Whether you do net banking, you're

googling, or whatever you do online, HTTPS
is there to protect your privacy and to

protect your security. And in some states,
this has been shown by history, this is

not a case, so there are nation-wide
introspecting devices which break open the

TLS encryption and look at the content.
And people will get a visit from secret

police or anything and they will knock on
their door and arrest them. Just like this

week happened in Turkey, where people got
arrested for posting things on Facebook.

So even though there are some funny
pictures in there keep in mind that this

is just a means to an end for my
presentation. I personally find HTTPS is a

very important topic. I hope I can
convince you, too. And CT in particular is

fascinating. Why is there something like
Certificate Transparency? The name says it

all: if you are a certification authority,
you want to make public the certificates

you sell or you issue. As with many good
stories and many good tools it all started

with a hack. Back in 2011 there was this
Dutch certification authority called

DigiNotar, and they got pawned. They got
really, really badly fisted.

<i>laughter</i>

They lost everything. They lost all their
crown jewels. And as part of this hack,

there were 500-something fraudulent
certificates issued. And not just any

certificates, not just like Let's Encrypt,
where you can get a free certificate, and

and then use it for your internal systems,
or for your web site, or whatever. No,

really, really high value domains and high
value certificates. Like google.com, very

privacy-invasive, if you can read what
people are googling, or what they are

sending in their emails.
windowsupdate.com, which is like the back

door to some of the windows world.
mozilla.com, the attacker could manipulate

the Firefox download, sign it with the
certificate and ship it over a

secure-seeming website. torproject, and so
forth. This was back in 2011 and this was

not just a small incident it hasn't been a
small CA but it was a regular CA with regular

business. What's more on this hack is
that: These certificates have then been

used to intercept communication of
clients. People browsing the web, reading

their email. The company which
investigated the breach afterwards found

out that at least 300.000 IP addresses
were connecting to google.com and were

seeing this fraudulent cert. 99% of which
where from Iran. So it was kind of a

nation state attack against clients of
either ISP based or border gateway based

where people were thinking they were
browsing secured by HTTPS but they were

actually not. This is a wonderful frame
from the video. The guys from Fox IT which

investigated this breach they used the
OCSP requests. Every time you get a

certificate your browser has to somehow
figure out whether or not this certificate

is still valid. If it has been revoked, it
would be nice to not use it anymore. And

one of the approaches which is used is so
called OCSP, so the client asks the

certificate authority: "hey is this still
valid?" And this has been logged. Each of

these requests is one of the clients
seeing this fraudulent certificate and

asking DigiNotar: "Hey, is this cert still
valid?" And as you can see, most of the

connections - it's actually a movie, so
you can see the lights flickering and

popping up and down as people go to sleep
and wake up again. And most of the

people were from Iran. So how did
DigiNotar got hacked? They got really,

really, badly hacked because they had
vulnerabilities everywhere. They had a

system running which was incomprehensibly
insecure for a certification authority.

People think that if you run a
certification authority you build the

foundation for secure communication
online. You are the one securing Internet

communication. And if you run such an
entity, people think you know security.

Actually,

<i>laughter</i>

actually, DigiNotar did not. They had unpatched
software, which was facing the Internet.

Might happen. They didn't have anti-virus
on the machines that issued the

certificates. The didn't have a strong
password for their admin account. So like

"password" or "admin". Actually, you can
read the report online, and the

recommendations from ENISA, the European
security body, they listed all the things

that have been found and identified. Also,
all the certificate-issuing servers were

in one Windows domain. Also kind of bad
from DigiNotar: they kept the incident

secret. Of course, they did not want to
spread out onto the Internet "hey, we got

hacked, and we have had bad security".
They kept this incident hidden

for more than 2 months.

After 2 months, when it got
public, and when the Internet found out,

that actually something really, really bad
had happened, they found out, and

DigiNotar then went bankrupt. That's the sad
ending of the story. But this is not one

of the problems that certification
authorities face. If you run a

certification authority, you issue
certificates based on the identify of your

customers. You can create sub-root CAs, so
you can say Hey, Martin, he looks like a

nice guy, he looks like he knows security,
let's make him a CA and make him verify

identities. Probably not a good idea, but
this is what the business model of HTTPS

and certification authorities is. They
issue certificates and they grant the

permission to issue certificates as well.
And the entire goal of these companies is

to get into the trust stores. Every
browser, every operating system, every

thing connects over TLS has something
called like trust store, where it stores

the entities that are entitled to issue
certificates. And the problem is, those

CAs are not strictly audited. They have
their requirements that they have to

fullfil. They have to show that they have
some kind of security. But afterwards,

once they're certified, and once they're
in the trust stores, there is not such a

strong incentive to audit them, because
they are already in the trust stores, and

they've had their audits, and so forth.
This can lead to many problems. Another

CA, Trustwave, in 2011, it issued sub-CA
certificates. Anyone with a sub-CA

certificate can issue a TLS certificate
for any domain. They used it for traffic

introspection. So they were selling, I
don't know, to a company, which was

building appliances which can break open
the network connections for banks,

companies, or entire ISPs. They can look
into the traffic of it's users. Also,

there was Lenovo SuperFish, wonderful
idea. SuperFish was a local

man-in-the-middle CA, and the goal of the
SuperFish CA was to break open HTTPS

traffic, so that they can inject ads.

<i>laughter</i>

Even though you're using gmail and you
have this nice, slick interface without

obvious ads, SuperFish would break open
this connection, would be trusted by the

browser, and would have huge overlay ads.
Lenovo stopped cooperating with SuperFish.

This was preinstalled on Lenovo notebooks.
They had a local CA installed on the

system so they could inspect the traffic
and show ads to users. What's even more

interesting is that all these CAs had the
same key, and the private key was in RAM.

So anybody could extract the private key
of the CA, use it to sign certificates for

anything, and have an additional layer of
HTTPS injection, where you could not only

show ads, but also read the emails or do
whatever you want. Very bad. They're not doing it

allegedly anymore. Then there was, in
China, the CNNIC, they issued a sub-CA for

an introspection company. Again the
company wanted to sell appliances where

they could break open HTTPS connections
and look into the traffic of the users.

And there was another incident just this
year: Symantec was issuing "test"

certificates to a company or whatever,
among them google.com, opera.com, things

that you probably not would like to test,
and got caught. And the nice thing about

this incident is: they already had
Certificate Transparency installed. And we

will come back to this incident in a
minute. Traffic introspection is a valid

thing. If you have a fleet of planes, and
they are connected via expensive satellite

connections and you really pay a lot for
bandwidth you would like to block, for

example, Netflix, or anything which causes
a lot of traffic. One of the approaches

which was taken by Gogo, they had traffic
introspection devices in their planes and

they issued not-trusted certificates to
inspect the traffic. Bad for them:

Adrienne Porter Felt who works for Google
noticed this and Gogo is not doing this

anymore. And even though traffic
introspection sounds like a really bad

thing, I can think of use cases where this
is legit. If you run a company, if you run

a bank, and you want to prevent people
from leaking data, this can be OK. But it

has to be transparent, people have to know
that this is happening, that they're

inspecting everything. And still won't
prevent people from carrying out the USB

thumb drive with all the data on it. So
this is the big picture why we need

Certificate Transparency. We would like to
see which certificates have been issued by

a specific CA. Some minor issues, not
really minor, that additionally come to

play are that TLS has it's issues
nonetheless whether these certificates are

issued or not. One of them is certificate
revocation is tricky. It's not as easy as

just saying "this certificate is not valid
anymore". Once a certificate is issued, it

is valid until the date shown in the
certificate, which can be three years.

Happens to be, if on the first day of
using this certificate, people notice,

"uh, we should revoke it", clients that
don't get this update will be able to use

this certificate for two and more years.
Also, another limitation is that all CAs

can issue certificates for all websites.
Any of those 1,800 CAs and sub-CAs which

were in trust stores in 2013 they can all
issue a certificate for google.com or

facebook.com. This is not prevented by any
means but social means and contracts,

which state that they have to check the
legitimacy of the request. This was

published in a paper in 2013. There are
more than 1,800 CAs which can sign

certificates for any domain in regular
user devices. Another paper in 2014 found

out that one third of them, one third of
those 1,800 certification authorities,

never issued a single HTTPS certificate.
This makes you wonder: why are they then

in the trust stores and so forth. You can
claim a certain percentage of them they

are used for issuing private certificates
within networks. Still, one third of them

never issued a publicly obtainable HTTPS
certificate. Then of course there the

implementation issues. TLS has a long
history of implementation flaws. Not just

cryptographic, there's logjam, freak,
poodle, whatever. They are a completely

separate issue. But the implementation
issues are troubling the device security

at a constant pace. Famous example is:
"goto fail;" from iOS, where they had an

additional "goto fail" missing bracket and
the certificate validity wasn't checked.

Also, we have a lot of embedded devices.
Once they're powered up, they're used to

generate their private key, and they have
no access to good entropy. Entropy on

embedded devices is surprisingly hard. So
a lot of them generate the same keys. And

as already mentioned, we have different
trust stores per browser, per operating

system. Everyone has a different trust
base. Also of course, every CA tries to

get access into all of the trust stores,
get shipped with system updates to be

trusted, and we have a diversity which is
not natural. Could be much easier if

people would have the same trust base on
all their devices. And there are plenty of

deployment issues. SSLv2: everybody thinks
it dead, but apparently, it's not.

Sebastian Schinzel will give a splendid
presentation two hours from now about the

DROWN attack. The DROWN attack uses SSLv2
weaknesses in email transport. Simply

because it's activated, and it uses the
same key, you can attack top-notch TLS 1.2

encryption, because this is still here.
There's the whole shmafoo of the SHA1

certificates. Certification authorities
are not supposed to issue any SHA1

certificates anymore. Some do, some get
caught, because they back-dated their

certificates, and so forth. It's a mess.
Then there's cypher suites. There are more

than 500 cypher suites available for the
different versions of TLS. Every admin

would like to be [as] secure as possible
but which should he choose. As soon as

there is money involved, like Amazon, they
need to be compatible with Internet

Explorer 6 and so forth. It's really a
mess. And of course, email STARTTLS: Email

never had the design to incorporate
security and authentication, so as always,

they just popped it on top, and this is
STARTTLS. The problem with STARTTLS is it

can be suppressed and people will fall
back to plaintext if they cannot reach the

service with STARTTLS. Perfect forward
secrecy and so forth, deployment is another

topic which can be a talk about. And there
is this troublesome development that the

CAs, they get bought and they get sold
constantly. Just this year, Symantec

bought the company BlueCoat. Symantec is
one of the larger CAs. They run the entire

- not the entire, but they run large parts
of the certifications that are observable.

BlueCoat got popular in the Arab Spring,
because they found BlueCoat proxies which

are capable using man-in-the-middle
attacks to conduct traffic introspection,

have been used at an ISP I think in Syria
or Egypt. They found them, and they have

been deployed nationwide. So if you think
about it that Symantec, one of the largest

CAs, is buying BlueCoat, one of the larger
traffic introspection companies, things

can look really fishy or scary.

Of course they promised they
would never use the Symantec

<i>laughter</i>

This is the state we're in. This is fine,
but it's not. But people still think about

it that HTTPS is safe. And actually it
took a decade to teach people that they

have to search for the lock icon. But if
they do not understand - actually they do

not know how the lock icon appears. But
the entire lock icon is a farce if you dig

into the details. We're all sitting in a
room filled with flames, so to say. So,

this is where certificate transparency
comes in. Certificate transparency has the

goal to identify fraudulent certification
authorities. In a perfect world, any

certification authority would publish all
it's logs, would publish all the

certificates it issues. So as soon as I
get a certificate for schmiedecker.net,

the certification authority - this is part
of the public/private key, it can be

public - so wouldn't it be nice if the CA
would publish that it just issued a

certificate for schmiedecker.net?
Basically: yes. Of course, certification

authorities do not want this to happen, in
particular if they're selling to funky

states or funky businesses which earn
their money with traffic introspection and

so forth. So the perfect world would be
the public key of each certificate would

be published. The certification authority
could say "Hey, I just issued this

certificate" and everybody could see it,
could verify it

and it would be, well, a better world.

This would help to detect
problems very early. So if a small Dutch

certification authority would issue a
certificate for google.com or

torproject.com, this would be noticeable.
I mean, this is a small CA, they would be

really - they should be really surprised
if google.com decides to issue a

certificate for their service. This would
shorten the window of opportunity for an

attacker. Also, the idea is to have some
form of punishment for misbehaving CAs. So

at the moment, right now, if a
certification authority fucks up, and

Google is affected, they mandate that they
need to have additional steps to be

reintroduced into the trust stores. This
is what Google did. They did the Power

Ranger move, and they decided they want to
make the internet more secure. Why Google?

Well, Google is uniquely positioned in a
way that they control the clients with

their browsers with the Android system,
and they also control a large portion of

the servers. Everyone uses Google, except
for those that use Bing.

<i>laughter</i>

Just kidding. What Google did is, once the
DigiNotar hack got public, they pinned

their certificates. Since Chrome has a
decent update cycle they can ship the

certificates which they expect to see with
a browser update. So as soon as [the]

browser updates in the background, it can
enforce the specific certificate that it

expects to see for google.com,
youtube.com, and whatever. Also, it has a

really huge market share. 50% and more,
depending on how you count. Chrome and

Chromium are rather popular. And lastly,
they are a common target. So if some

dictator decides to introspect client
emails, user emails, usually they target

gmail.com, because they have a decent
security, they do not have any other

vulnerabilities or backdoors to allow
access to their content. Which makes the

attack to Gmail a very drastic attack.
With the changes that Google introduced

into Chrome with the certificate pinning,
they can now detect these attacks.

But this was already back in 2011. Since
then, for example, the Porter Felt tweet

I showed you, If Chrome would go to a
website google.com or youtube.com, and

would see a fraudulent certificate, they
would warn the user. And what Google then

did, was to propose a standard, to make an
RFC, how to transparently publish the logs

for certificates that have been issued.
The idea of the RFC is that every

certificate issued is public. This is
implemented in a public, append-only log.

So they have a log, they have open APIs,
and they accept every certificate. Then,

cryptographically assured, the client like
the browser can verify that this is a

publicly logged certificate. And the
entire system is open for all. So you can

go to the website, you can
get the source code,

you can run your own log for RFC 6962.

And everyone is happy.

The goals were to detect misbehaving 
CAs. As I said,

they have their audits, they have their
compliance regulations, and so forth, but

not on the certificate level. With
certificate transparency, they become

audible by the public, by the browsers.
Everyone can query the logs and see

whether or not this particular
certification authority has issued a

certificate for google.com.

Alright! Upon reading the RFC,
there are three entities

which are part of certification
transparency. There are, for one,

the logs, which are like giant vacuum
cleaners. They ingest all the certificates

which are sent to them, and then
cryptographically sign them and issue the

assurance that this specific certificate
has been logged. And this has been issued

and has not been tampered with, and so
forth. Then there are monitors. They

identify suspicious certificates. Usually,
these are the certification authorities

themselves which run those monitors. And
then there are the auditors. The auditors

usually are implemented in the browser.
And they verify that the issued

certificates are really logged. Looking at
them in detail: the role of the monitor

and the auditor is kind of
interchangeable, so a monitor can be an

auditor, back and forth. What the monitor
does, it fetches all the certificates.

So you have this giant pool of certificates.
They are cryptographically assured which

we will see soon. And the monitor just
fetches them all. And they have some form

of semantic checking. They can see, has
there been a certificate for my domain,

has there been any sub-CA created, which
is able to issue certificates for traffic

introspection, and so forth. Also, what
they can then, with this data, do, they

can identify misbehaving log operators. I
said, the logs, they are just gigantic

hoovers, which collect all the
certificates, and they need auditing, too,

of course. They need - they have a
position of power, because they are

managing this huge pool of certificates.
And one needs to challenge the log to

identify misbehaviour. This can be done by
the monitors, can also be done by the

auditors. Every client - right now, it's
implemented in Chrome. Chrome checks for

these certification transparency
cryptographically signed blobs. And the

browsers and everything, they can verify
the log integrity as well. So in the

backend, the log, it creates a hash tree.
This hash tree is signed. We will come to

that in a second. I got lost here. So both
monitors and auditors, they query that the

log entity is working correctly. It
wouldn't be a good thing if China could go

to Google and say them "Hey, we would like
to have this certificate removed." Google

could then comply or could not comply but
whether they remove the certificate this

would be auditible and this would be
observable to the public. So the good

thing is anyone run any software, anyone
of you in this room can run a log entity.

You need some kind of access to some
certificates, so whether or not you are a

certification authority, you can just run
a public log, and everybody can push their

certificates to your service. Right now,
this is not the case. Usually, the CAs run

the monitors and they run the logs, but
this is not by design, anybody can run

anything. One of the problems is
availability. So even through I can set up

a log for certificates, I have the problem
that my log needs to be online 24/7. My

ISP is not happy if I ask him to guarantee
this for me, if I don't pay much much much

more. So, how does it work? Currently, if
you get a certificate, you go to the

certification authority, You say, "hey,
I'm this wonderful domain, please could I

get a certificate?" And then you get the
certificate. What's additionally happening

with certification transparency is that the
CA upon issuing the certificate - this can

be any CA, this can be Let's Encrypt, this
can be Thawte, Symantec, you name it -

what they do is they send the certificate
once they issued it, they send the

certificate to one of the logs. The log
then signs the successful reception of the

certificate, and immediately sends
something back. This blob is called the

SCT, the signed certificate timestamp, and
this can then be included in the

certificate or with other ways. Key point
here is that once the server installs the

certificate, it also installs this SCT, so
that browsers can see it and parse it.

Some people I might have lost here.
Nonetheless, everything is easier in

pictures. Right now, currently - and these
are the pictures from the certification

transparency website, thanks for making
them - my pic skills are really not that

good, so I never would have been able to
make such beautiful graphs. So currently,

there is the certification authority. It
issues a certificate, and the website then

installs it in the correct directory. The
clients check it, and encryption can

happen. The additional step, and this is
the nice thing, it can happen without any

additional steps on the server side and
the client side, it's just the

certification authority needs to do an
additional step. So instead of just

issuing the certificate, they send the
certificate to the logs, the log

immediately sends back the so-called SCT,
the signed certificate timestamp, and this

is then included in the certificate, which
is shipped to the client. And then the

client, if it supports it, can ask the
server whether or not this particular

certificate is included or not. The things
that come back from the log they are

signed, they have an ID, and they have a
timestamp. These are the important things.

They need to be included in those SCT.
Also, what will be interesting in the

future, that the certificate can have
multiple log entries. So the SCT is like a

promise. The log operator promises to
include this certificate in its logs. And

everybody can check afterwards then if
this log has really publicly logged, or if

the authority has omitted to log it. In
the future it will be the case that many

SCTs can be within a certificate. If I'm a
certification authority I can go to any

log operator, send them every certificate
I have and then include many, many SCTs.

And the SCT is not private. This is just
an ID, it's a timestamp, and it's a

signature. This is probably too much.
There's multiple ways for the client to

verify that this certificate has an SCT.
So one of the methods for example is OCSP

stapling. Right now, if you have a
certificate, instead of going to the CA,

the server can staple the OCSP request
signed by the CA. And within this OCSP

stapling there can also be the SCT
included. How does it work on the log

side? Everything there is, is a Merkle
hash tree. A Merkle hash tree is a

wonderful data structure. It's nothing
new, it's nothing fancy, and it's not the

blockchain.

<i>laughter</i>

The Merkle hash tree, it looks, it's a
binary tree. Every node has two children,

and the hash value of an inner node
depends on the two children. So usually

it's the concatenation of the values of
the two children. Get's hashed again, up

to the root. Makes it very space efficient
because if I want to verify the integrity

of one entire tree, all I have to check is
the hash value of the root. Then, of

course, I can get all the relevant hash
values, and then I can reconstruct it. CT

uses SHA256 Merkle tree, and as I said,
everything below a certain node is

responsible for the hash value. So if you
remove a node, if you add a node, or if

you relocate a node, the hash values of
all the upper nodes get changed. Each of

the log operators, additionally to the
promise that they will include every

certificate that it receives, it also
gives a promise on the maximum merge

delay. The SCT, the promise to include
this certificate chain into the log, it

can only finish immediately because it's a
promise to include this into the log. And

the maximum merge delay is the time the
log operator promises to include it in the

big, big Merkle hash tree. The good thing
about the Merkle hash tree is despite

being very space efficient, calculation
efficient, not that much data overhead,

and so forth, it's not possible to
backdate elements. This was interesting

for one of the certification authorities
which issued SHA1 signed certificates,

even though the browsers and everyone
agreed that this should not happen

anymore. So it's also not possible remove
elements that have been once in there. So

if Symantec decided to remove the
google.com certificate, which was a "test"

certificate, this would be noticeable as
well, because if you remove one of the

leaves, the hash values up to the root,
they all change. And it's also not

possible to add elements. if you would
like to add an element unnoticably, you

cannot do this, because the hash values of
all the upper nodes would change. So how

do the logs operate? What they usually do
is once every hour, they receive the

certificates, and once every hour they
include them into their Merkle hash tree.

Probably already too much detail. They
build a separate tree, and then include it

and recalculate the root hash value, which
is then signed and shipped. And the nice

thing about the Merkle tree is that you
have multiple ways of proving things. One

of the things that can be proved whether
or not this log operator is honest. if a

log operator removes one of the
certificates, this becomes visible by

changing all the relevant nodes. Also,
it's very efficient. Also a figure from

the project website. On the left side, you
have a Merkle tree with some added

certificates, appended certificates. And
if a monitor or an auditor decides to

challenge the log operator, at a later
point in time, whether or not these

certificates D6 and D7 have been correctly
added, all the log operator has to send

are those highlighted nodes. This is the
root, this is the thing that is signed,

for example, every hour. This is public.
The certificates, they are public because

like, they're certificates. If now someone
wants to verify that not only these have

been included, this is very easy, because
you just have to calculate all the way up,

but also verify that all the other
certificates are still there, so none of

the old certificates have been removed,
there only needs to be three hash values

transmitted. And then the challenger can
re-calculate everything. So as soon as the

challenger knows those hash values they
can concatenate everything back together

and in the end, it should have the same
hash value as the root. Another proof that

is possible is whether a specific
certificate is still in the log. So it's

not only possible to challenge the
consistency of the entire log regarding

old data, but it's also to verify that a
specific certificate is still in the logs,

or made it into the logs. Remember, the
SCT, the thing that finished immediately,

is just a promise to include it in the
logs, and at a later point in time,

anyone, any auditor can challenge the log
operator if the certificate is really in

the log. So again, if I want to verify
that a specific certificate is in the log

I have the certificate that I would like
to challenge, then I just need, in this

example, those three nodes, and everything
else, the j node can be calculated because

I have the certificate. Then I have the
hash of the certificate. I need this hash,

then I can calculate this value, and so
forth, until I am at the root. So much for

under the hood. Merkle hash trees are
gone. One of the problems of those logs

are they are every growing. You might have
noticed, there is not a single word about

deleting certificates, for valid reasons,
they are ever growing. Of course, nothing

is forever, so what log operators do is
that they rotate the logs. So at a

specific point in time, the log gets
frozen, the tree is then static, and there

is another log entity, which is brough
online and used for, including the newer

certificates. Quite recently, aviator from
Google got frozen.

It contains 46 million certificates.

Small drawback of freezing a
log: as long as one certificate in this

log, in this three is still valid, this
log needs to be reachable. As soon as all

the certificates have been expired, it can
be dumped. But until that it has to be

available for the proofs.

One of the issues is that right now
there are just a few log operators.

In the future, there should
be many more. Not hundred-thousands of

them, but maybe hundreds of them. And they
need to exchange information. Some form of

log chatter should appear. The log
operators chatter with the clients to

verify that they all see the same state of
the Merkle trees. And this has been

published in a paper last year. Right now,
the idea is not yet at a level where they

need to chatter, which we will soon see.
This happens when you create memes on the

train. Usually, they are very bad memes.
This is apparently Gossip Girl, I've never

seen it, but if you google gossip and
meme, ta-da!

<i>laughter</i>

Who now runs the logs? Who are the
entities who are actively running logs. Of

course, Google is running the majority of
them. They proposed the entire thing, they

wrote the code to run these things, and
they run the large, open-for-all

certificate logs. Three of them are
currently open-for-all. Another one is for

Let's Encrypt certificates, and another
one is for non Let's Encrypt certificates.

Of course, Let's Encrypt issues a lot of
certificates., thankfully. So they

separated that, apparently. If you read
the mailing list, they promise that these

free open-for-all logs are separated
geographically and administratively. The

are run by different entities, but they
all have the same boss, and it would be

better if there were more open logs.
Symantec has one, Wosign, CNNIC. Everytime

Google detects that a fraudulent
certificate for google.com has been

issued, those certification authorities
are mandated to run CT. Which is a good

thing, I mean, public and everything.
Google has tens of millions of

certificates. They really have an
open-for-all log, so everyone can push

certificates in there. DigiCert, Symantec
is kind of big, but all the other nodes

which are listed on the website, they have
a hundred-thousand-ish certificates, which

is not that much compared to 50 million or
60 millions. Right now, Google already

mandates certification transparency for
extended valiity certificates, so if you

not only see the green text up in the left
corner of your browser, but also some

fancy name and big, big green whatever,
this is an EV cert. And Google mandates

for EV certs to have two SCTs. Firefox is
in the process of including it, I think.

Also, apparently, certificate transparency
works. Because, when Symantec issued this

certificate for google.com they released a
report stating that they found 23 "test"

certificates. Symantec said that it issued
23 test certificates. But the logs are

public, anybody can query them. And within
seconds, you can see that Symantec issued

another 164 certificates for other
domains, and also 2,500 certificates for

non-exisisting domains. Just regarding
this one issue. I need to hurry, time is

running out. Some of the downsides of
certificate transparency. Of course:

privacy. People can learn your internal
hosts, so if you have NAS for example, and

this NAS is only reachable within your
LAN, and you want to get rid of the

browser warning whenever you access the
interface of your NAS, you can get a Let's

Encrypt certificate but since not only the
certificate is published, but also it's

logged, people can see in the public log
file that there is, for your domain, a

NAS. Also, log entries must contain the
entire chain up to a trusted root

certificate, which excludes everything
which is self-signed, and everything which

is DANE. DANE is for verifying TLS
certificates using DNSsec. And since these

two have no trusted root, they are currently
not working for certificate transparency.

Now, of course you want to see the data.
You're gonna play around with this.

Basically, what you can query, everything
is JSON. So, if you know JSON, you can

work with certificate transparency. The
basic URL is like this. The URL is any log

server, responds with the current root and
it's signature, using this URL. Most

interestingly, it gives you also the
number of certificates and the time stamp.

It looks then like this. JSON, so you
have, this is the aviator log from Google,

which is now frozen. Has 46 something
million certificates, the hash value of

the Merkle tree, and the signature. Also,
you can challenge the certification logs

with consistency proofs, where you have
two states of their tree, and the log has

to prove that it did not modify anything
in between them. And of course, you can

verify that specific certificate is in the
tree with the second URL. And you can just

push certificates there with a POST
request. So you push it, they send back

the SCT, if you're the log operator, then
you would include this. Any website which

right now is not using SCT all it takes is
a POST request. Nothing more. Some screens

from the internals. This is for google.com
in the net internals view. What you can

see is that signed certificate timestamp,
the SCT, is received. It is valid. And

compliance is checked. So this was for
google.com. And everything worked out.

Last but no least, just to mention it,
Comodo operates a large search engine,

crt.sh. There you can query public logs.
Also, Facebook recently added a monitor

for certificates. So if you own a domain
name, and you use an entity which - no if

you own a domain, you can get updates if
the certificate changes. The also monitor

the public logs and as soon as, for
example, facebook.com uses a new

certificate that is logged in CT, you can
get a notification for that. This is what

it looks like. Remember, Facebook can also
send PGP-encrypted mails, then nothing

leaks to anyone. This screenshot was
borrowed from Scott Helme. So, what's

next? Just a few - One month ago, Google
announced that it will mandate certificate

transparency from October 2017 on. So if
you run a website which is secured by TLS

you might want to check before that date
whether or not your certification

authority is using certificate
transparency. I would expect to have more

logs and more certificates included in the
logs. In the far future, basically, the

idea of transparency and this Merkle tree
is open for anything. You could put key

management software releases, anything in
there. The team at Google, they also

builded a prototype for that, called
Trillian, and described in the paper

"Verifiable Data Structures".

Before we
come to the end and questions,

<i>laughter</i>

<i>applause</i>

There is a distinction. Of course, you
could solve this problem with blockchain

as well. But a Merkle hash tree is much
more efficient, much more elegant. When I

talked to a colleague on the train here,
he said, of course, you can just push the

log into the blockchain.
Yeah, not the same thing.

Thank you!

<i>applause</i>

Herald: Thank you Martin for a very
interesting talk! We have a few more

minutes left for Q&amp;A, so if you have a
question, please line up next to the

microphones, and ask your question.
Remember: a question has a question mark

at the end. Also, if you're exiting,
please do so silently and from the front

door, thank you. I think we have a
question over there:

Q: Can you recommend some libs or software
where I can accomplish the TLS handshake

from the client side, so I can get the
SCT, via TLS extension, via OCSP

extension, via the inherited
pre-certificate SCT.

M: Not by heart. I mean, if it's part of
TLS certificate anything will go, OpenSSL,

whatever, it's just a field. Same as for
OCSP, so anything that does OCSP will

include it, it's just that clients that do
not know the extension will just not -

they will ignore it. But anything that
does OCSP or SSL handshake will work.

H: Thank you. Question from this microphone.

Q: Hello, thank you very much for the nice
talk. Do you know how much space is needed

to store all the logs currently?

M: I had the same question, but
unfortunately not. What they store is the

tree, and they store the entire chain,
excluding the root certificates. So,

probably two, three, four certificates per
entry, which is like - I think you can buy

at the regular electronic markets a hard drive
which is able to fit a lot of those entries.

H: Next question from that mic.

Q: Yeah, thank you for the talk. Why do
you need two SCTs for extended validation?

M: Because a single entity might cheat. So
it's like - even though you can detect it,

it's still a timeframe left. And if you
have two SCTs, which are operated

independently, the idea is it's not that
likely that the two will collaborate

to make a certificate disappear.

Q: Thanks!

H: That microphone, yes.

Q: I'm actually a bit surprised, because
Google has been pushing for making the

server HELLO as small as possible, and of
course, this is increasing the server

HELLO with, in this case, an SCT, and of
course, they are also doing OCSP stapling,

so that makes it even bigger. And this is
like a SHA256, so we're talking 256 bits

there, plus another one you said that, you
know, one is not enough. Actually I've

never seen that has more than one SCT.
Have you?

M: No.

<i>laughter</i>

Not yet.

Q: I've looked around, but nothing.

M: Yeah.

Q: It's actually increasing the size. And
I'm just wondering, where is this going.

Are we just gonna eat the costs of having
all these SCTs and OCSP stapling? Are we

prepared to eat that cost?

M: I think the cost is small compared to
the gain you get by HTTP2. So if you pipe

anything to one singular connection. I
think it's not bad of a cost anymore. But

of course, this is a policy thing. To
require a certain amount of SCTs, to

prevent fraudulent CAs.

Q: Is the idea that this will replace
something like the SSL observatory, where

browsers send in certs they see, and then
- you nodded, so I assume yes. And then

also, how does this work for people who
can't have their certs be public?

For people who are like issuing
things for internal networks?

M: If you can't have the certificate
public, probably the better way right now

is to have a certification authority which
is not using CT. In the future, it makes

it much more expensive to operate your own
CA, incorporate it in the trust stores.

But of course, this is costly. You have to
sign the certificate and everything.

Q: But if like in October 2017, when
Chrome rejects all certs that don't have

signed timestamps like what do I do?

M: Use Edge.

<i>laughter</i>

I'm sure you can disable it somehow,
but it's <i>blerg</i>.

Q: What about if someone tries SCT with
DHT or other system.

Not blockchain, of course!

It's possible to do that without
central authorities?

M: Sorry, say again?

Q: My English is very bad, I'm sorry. I
said, it is possible to do that without

some central authority, like Google
or over SCT, but

with a distributed hash table,
like DHT technologies,

M: Yes, yes, of course.

Q: And are there existing implementations?

M: For the centralized thing, yes. Not for
the distributed thing. But I think it's

just adding a layer of DHT on top of it.
So I'm sure you can think of a browser

extension which uses the DHT to obtain
SCT. But right now it's just purely

centralized. But the source is open.

Q: OK, thank you.

Q: I was just curious how it works if you
have a certificate which gets revoked, in

context of the tree. Especially if the
tree is frozen. So how does this work?

How do you revoke a certificate with a
tree, and then how does it work if it's

frozen already.

M: Good question! The goal of CT is not
- it's not about revocation. So whether

revocation path is taken regularly. So you
ask OCSP. It's independent of the

revocation thing. It's just publicly
saying that this certificate has been

issued. So removing a certificate from the
tree, which has been removed - revoked, is

not part of the specification. This is not
the use case. It's just logging the

certificates which have been issued.

Q: But if you audit all the logs, and you
want to know if something is, like going

on that shouldn't be going on, wouldn't
you want to know whether the certificate

has been revoked at some point?

M: Yes, but not in the logs. The logs are
just to prove that the CA has issued this

certificate, and to prove that the log has
correctly logged it. Revocation is

different. Usually, OCSP stapling with the
CA, but that's a different channel. So

this is not for certificate transparency.

Q: Thank you!

H: That's all the time we have for Q&amp;A.

Big round of applause again for
Martin for a great talk!

<i>applause</i>

<i>postroll music</i>

subtitles created by c3subtitles.de
in the year 2017. Join, and help us!