-
33c3 opening theme music
-
Herald: I'm excited to be here, I guess
you are too. We will get started with our
-
first talker for the day. He is a security
researcher at SBA Research, and he's also
-
a member of CCC Vienna. The talk we'll be
hearing today is "Everything you always
-
wanted to know about Certificate
Transparency" and with that, I will pass
-
on the stage, please give a warm welcome
to Martin Schmiedecker!
-
applause
-
Martin: Thank you very much for these kind
words and this very nice introduction.
-
As Ari said, I'm a member of CCC Vienna,
I'm also on twitter, so if you have a
-
comment afterwards, or want to ping me, if
you find a typo in the slides, or
-
whatever, just ping me on twitter.
-
So, what is this talk about? What are we going
-
to talk about? Certificate Transparency
is kind of a new thing in the TLS
-
ecosystem so not many people are familiar
that it is here. So I will present the
-
overview, what is CT and what it does and
will also peek under the hood and see what
-
it actually does, how it works, and how
you can play with it. So one of the things
-
I have to say about myself: I'm a keen fan
of Internet memes. So even though these
-
are hilarious pictures. Personally I find
hilarious pictures that I put online. Keep
-
in mind that HTTPS is a serious topic.
Whether you do net banking, you're
-
googling, or whatever you do online, HTTPS
is there to protect your privacy and to
-
protect your security. And in some states,
this has been shown by history, this is
-
not a case, so there are nation-wide
introspecting devices which break open the
-
TLS encryption and look at the content.
And people will get a visit from secret
-
police or anything and they will knock on
their door and arrest them. Just like this
-
week happened in Turkey, where people got
arrested for posting things on Facebook.
-
So even though there are some funny
pictures in there keep in mind that this
-
is just a means to an end for my
presentation. I personally find HTTPS is a
-
very important topic. I hope I can
convince you, too. And CT in particular is
-
fascinating. Why is there something like
Certificate Transparency? The name says it
-
all: if you are a certification authority,
you want to make public the certificates
-
you sell or you issue. As with many good
stories and many good tools it all started
-
with a hack. Back in 2011 there was this
Dutch certification authority called
-
DigiNotar, and they got pawned. They got
really, really badly fisted.
-
laughter
-
They lost everything. They lost all their
crown jewels. And as part of this hack,
-
there were 500-something fraudulent
certificates issued. And not just any
-
certificates, not just like Let's Encrypt,
where you can get a free certificate, and
-
and then use it for your internal systems,
or for your web site, or whatever. No,
-
really, really high value domains and high
value certificates. Like google.com, very
-
privacy-invasive, if you can read what
people are googling, or what they are
-
sending in their emails.
windowsupdate.com, which is like the back
-
door to some of the windows world.
mozilla.com, the attacker could manipulate
-
the Firefox download, sign it with the
certificate and ship it over a
-
secure-seeming website. torproject, and so
forth. This was back in 2011 and this was
-
not just a small incident it hasn't been a
small CA but it was a regular CA with regular
-
business. What's more on this hack is
that: These certificates have then been
-
used to intercept communication of
clients. People browsing the web, reading
-
their email. The company which
investigated the breach afterwards found
-
out that at least 300.000 IP addresses
were connecting to google.com and were
-
seeing this fraudulent cert. 99% of which
where from Iran. So it was kind of a
-
nation state attack against clients of
either ISP based or border gateway based
-
where people were thinking they were
browsing secured by HTTPS but they were
-
actually not. This is a wonderful frame
from the video. The guys from Fox IT which
-
investigated this breach they used the
OCSP requests. Every time you get a
-
certificate your browser has to somehow
figure out whether or not this certificate
-
is still valid. If it has been revoked, it
would be nice to not use it anymore. And
-
one of the approaches which is used is so
called OCSP, so the client asks the
-
certificate authority: "hey is this still
valid?" And this has been logged. Each of
-
these requests is one of the clients
seeing this fraudulent certificate and
-
asking DigiNotar: "Hey, is this cert still
valid?" And as you can see, most of the
-
connections - it's actually a movie, so
you can see the lights flickering and
-
popping up and down as people go to sleep
and wake up again. And most of the
-
people were from Iran. So how did
DigiNotar got hacked? They got really,
-
really, badly hacked because they had
vulnerabilities everywhere. They had a
-
system running which was incomprehensibly
insecure for a certification authority.
-
People think that if you run a
certification authority you build the
-
foundation for secure communication
online. You are the one securing Internet
-
communication. And if you run such an
entity, people think you know security.
-
Actually,
-
laughter
-
actually, DigiNotar did not. They had unpatched
software, which was facing the Internet.
-
Might happen. They didn't have anti-virus
on the machines that issued the
-
certificates. The didn't have a strong
password for their admin account. So like
-
"password" or "admin". Actually, you can
read the report online, and the
-
recommendations from ENISA, the European
security body, they listed all the things
-
that have been found and identified. Also,
all the certificate-issuing servers were
-
in one Windows domain. Also kind of bad
from DigiNotar: they kept the incident
-
secret. Of course, they did not want to
spread out onto the Internet "hey, we got
-
hacked, and we have had bad security".
They kept this incident hidden
-
for more than 2 months.
-
After 2 months, when it got
public, and when the Internet found out,
-
that actually something really, really bad
had happened, they found out, and
-
DigiNotar then went bankrupt. That's the sad
ending of the story. But this is not one
-
of the problems that certification
authorities face. If you run a
-
certification authority, you issue
certificates based on the identify of your
-
customers. You can create sub-root CAs, so
you can say Hey, Martin, he looks like a
-
nice guy, he looks like he knows security,
let's make him a CA and make him verify
-
identities. Probably not a good idea, but
this is what the business model of HTTPS
-
and certification authorities is. They
issue certificates and they grant the
-
permission to issue certificates as well.
And the entire goal of these companies is
-
to get into the trust stores. Every
browser, every operating system, every
-
thing connects over TLS has something
called like trust store, where it stores
-
the entities that are entitled to issue
certificates. And the problem is, those
-
CAs are not strictly audited. They have
their requirements that they have to
-
fullfil. They have to show that they have
some kind of security. But afterwards,
-
once they're certified, and once they're
in the trust stores, there is not such a
-
strong incentive to audit them, because
they are already in the trust stores, and
-
they've had their audits, and so forth.
This can lead to many problems. Another
-
CA, Trustwave, in 2011, it issued sub-CA
certificates. Anyone with a sub-CA
-
certificate can issue a TLS certificate
for any domain. They used it for traffic
-
introspection. So they were selling, I
don't know, to a company, which was
-
building appliances which can break open
the network connections for banks,
-
companies, or entire ISPs. They can look
into the traffic of it's users. Also,
-
there was Lenovo SuperFish, wonderful
idea. SuperFish was a local
-
man-in-the-middle CA, and the goal of the
SuperFish CA was to break open HTTPS
-
traffic, so that they can inject ads.
-
laughter
-
Even though you're using gmail and you
have this nice, slick interface without
-
obvious ads, SuperFish would break open
this connection, would be trusted by the
-
browser, and would have huge overlay ads.
Lenovo stopped cooperating with SuperFish.
-
This was preinstalled on Lenovo notebooks.
They had a local CA installed on the
-
system so they could inspect the traffic
and show ads to users. What's even more
-
interesting is that all these CAs had the
same key, and the private key was in RAM.
-
So anybody could extract the private key
of the CA, use it to sign certificates for
-
anything, and have an additional layer of
HTTPS injection, where you could not only
-
show ads, but also read the emails or do
whatever you want. Very bad. They're not doing it
-
allegedly anymore. Then there was, in
China, the CNNIC, they issued a sub-CA for
-
an introspection company. Again the
company wanted to sell appliances where
-
they could break open HTTPS connections
and look into the traffic of the users.
-
And there was another incident just this
year: Symantec was issuing "test"
-
certificates to a company or whatever,
among them google.com, opera.com, things
-
that you probably not would like to test,
and got caught. And the nice thing about
-
this incident is: they already had
Certificate Transparency installed. And we
-
will come back to this incident in a
minute. Traffic introspection is a valid
-
thing. If you have a fleet of planes, and
they are connected via expensive satellite
-
connections and you really pay a lot for
bandwidth you would like to block, for
-
example, Netflix, or anything which causes
a lot of traffic. One of the approaches
-
which was taken by Gogo, they had traffic
introspection devices in their planes and
-
they issued not-trusted certificates to
inspect the traffic. Bad for them:
-
Adrienne Porter Felt who works for Google
noticed this and Gogo is not doing this
-
anymore. And even though traffic
introspection sounds like a really bad
-
thing, I can think of use cases where this
is legit. If you run a company, if you run
-
a bank, and you want to prevent people
from leaking data, this can be OK. But it
-
has to be transparent, people have to know
that this is happening, that they're
-
inspecting everything. And still won't
prevent people from carrying out the USB
-
thumb drive with all the data on it. So
this is the big picture why we need
-
Certificate Transparency. We would like to
see which certificates have been issued by
-
a specific CA. Some minor issues, not
really minor, that additionally come to
-
play are that TLS has it's issues
nonetheless whether these certificates are
-
issued or not. One of them is certificate
revocation is tricky. It's not as easy as
-
just saying "this certificate is not valid
anymore". Once a certificate is issued, it
-
is valid until the date shown in the
certificate, which can be three years.
-
Happens to be, if on the first day of
using this certificate, people notice,
-
"uh, we should revoke it", clients that
don't get this update will be able to use
-
this certificate for two and more years.
Also, another limitation is that all CAs
-
can issue certificates for all websites.
Any of those 1,800 CAs and sub-CAs which
-
were in trust stores in 2013 they can all
issue a certificate for google.com or
-
facebook.com. This is not prevented by any
means but social means and contracts,
-
which state that they have to check the
legitimacy of the request. This was
-
published in a paper in 2013. There are
more than 1,800 CAs which can sign
-
certificates for any domain in regular
user devices. Another paper in 2014 found
-
out that one third of them, one third of
those 1,800 certification authorities,
-
never issued a single HTTPS certificate.
This makes you wonder: why are they then
-
in the trust stores and so forth. You can
claim a certain percentage of them they
-
are used for issuing private certificates
within networks. Still, one third of them
-
never issued a publicly obtainable HTTPS
certificate. Then of course there the
-
implementation issues. TLS has a long
history of implementation flaws. Not just
-
cryptographic, there's logjam, freak,
poodle, whatever. They are a completely
-
separate issue. But the implementation
issues are troubling the device security
-
at a constant pace. Famous example is:
"goto fail;" from iOS, where they had an
-
additional "goto fail" missing bracket and
the certificate validity wasn't checked.
-
Also, we have a lot of embedded devices.
Once they're powered up, they're used to
-
generate their private key, and they have
no access to good entropy. Entropy on
-
embedded devices is surprisingly hard. So
a lot of them generate the same keys. And
-
as already mentioned, we have different
trust stores per browser, per operating
-
system. Everyone has a different trust
base. Also of course, every CA tries to
-
get access into all of the trust stores,
get shipped with system updates to be
-
trusted, and we have a diversity which is
not natural. Could be much easier if
-
people would have the same trust base on
all their devices. And there are plenty of
-
deployment issues. SSLv2: everybody thinks
it dead, but apparently, it's not.
-
Sebastian Schinzel will give a splendid
presentation two hours from now about the
-
DROWN attack. The DROWN attack uses SSLv2
weaknesses in email transport. Simply
-
because it's activated, and it uses the
same key, you can attack top-notch TLS 1.2
-
encryption, because this is still here.
There's the whole shmafoo of the SHA1
-
certificates. Certification authorities
are not supposed to issue any SHA1
-
certificates anymore. Some do, some get
caught, because they back-dated their
-
certificates, and so forth. It's a mess.
Then there's cypher suites. There are more
-
than 500 cypher suites available for the
different versions of TLS. Every admin
-
would like to be [as] secure as possible
but which should he choose. As soon as
-
there is money involved, like Amazon, they
need to be compatible with Internet
-
Explorer 6 and so forth. It's really a
mess. And of course, email STARTTLS: Email
-
never had the design to incorporate
security and authentication, so as always,
-
they just popped it on top, and this is
STARTTLS. The problem with STARTTLS is it
-
can be suppressed and people will fall
back to plaintext if they cannot reach the
-
service with STARTTLS. Perfect forward
secrecy and so forth, deployment is another
-
topic which can be a talk about. And there
is this troublesome development that the
-
CAs, they get bought and they get sold
constantly. Just this year, Symantec
-
bought the company BlueCoat. Symantec is
one of the larger CAs. They run the entire
-
- not the entire, but they run large parts
of the certifications that are observable.
-
BlueCoat got popular in the Arab Spring,
because they found BlueCoat proxies which
-
are capable using man-in-the-middle
attacks to conduct traffic introspection,
-
have been used at an ISP I think in Syria
or Egypt. They found them, and they have
-
been deployed nationwide. So if you think
about it that Symantec, one of the largest
-
CAs, is buying BlueCoat, one of the larger
traffic introspection companies, things
-
can look really fishy or scary.
-
Of course they promised they
would never use the Symantec
-
laughter
-
This is the state we're in. This is fine,
but it's not. But people still think about
-
it that HTTPS is safe. And actually it
took a decade to teach people that they
-
have to search for the lock icon. But if
they do not understand - actually they do
-
not know how the lock icon appears. But
the entire lock icon is a farce if you dig
-
into the details. We're all sitting in a
room filled with flames, so to say. So,
-
this is where certificate transparency
comes in. Certificate transparency has the
-
goal to identify fraudulent certification
authorities. In a perfect world, any
-
certification authority would publish all
it's logs, would publish all the
-
certificates it issues. So as soon as I
get a certificate for schmiedecker.net,
-
the certification authority - this is part
of the public/private key, it can be
-
public - so wouldn't it be nice if the CA
would publish that it just issued a
-
certificate for schmiedecker.net?
Basically: yes. Of course, certification
-
authorities do not want this to happen, in
particular if they're selling to funky
-
states or funky businesses which earn
their money with traffic introspection and
-
so forth. So the perfect world would be
the public key of each certificate would
-
be published. The certification authority
could say "Hey, I just issued this
-
certificate" and everybody could see it,
could verify it
-
and it would be, well, a better world.
-
This would help to detect
problems very early. So if a small Dutch
-
certification authority would issue a
certificate for google.com or
-
torproject.com, this would be noticeable.
I mean, this is a small CA, they would be
-
really - they should be really surprised
if google.com decides to issue a
-
certificate for their service. This would
shorten the window of opportunity for an
-
attacker. Also, the idea is to have some
form of punishment for misbehaving CAs. So
-
at the moment, right now, if a
certification authority fucks up, and
-
Google is affected, they mandate that they
need to have additional steps to be
-
reintroduced into the trust stores. This
is what Google did. They did the Power
-
Ranger move, and they decided they want to
make the internet more secure. Why Google?
-
Well, Google is uniquely positioned in a
way that they control the clients with
-
their browsers with the Android system,
and they also control a large portion of
-
the servers. Everyone uses Google, except
for those that use Bing.
-
laughter
-
Just kidding. What Google did is, once the
DigiNotar hack got public, they pinned
-
their certificates. Since Chrome has a
decent update cycle they can ship the
-
certificates which they expect to see with
a browser update. So as soon as [the]
-
browser updates in the background, it can
enforce the specific certificate that it
-
expects to see for google.com,
youtube.com, and whatever. Also, it has a
-
really huge market share. 50% and more,
depending on how you count. Chrome and
-
Chromium are rather popular. And lastly,
they are a common target. So if some
-
dictator decides to introspect client
emails, user emails, usually they target
-
gmail.com, because they have a decent
security, they do not have any other
-
vulnerabilities or backdoors to allow
access to their content. Which makes the
-
attack to Gmail a very drastic attack.
With the changes that Google introduced
-
into Chrome with the certificate pinning,
they can now detect these attacks.
-
But this was already back in 2011. Since
then, for example, the Porter Felt tweet
-
I showed you, If Chrome would go to a
website google.com or youtube.com, and
-
would see a fraudulent certificate, they
would warn the user. And what Google then
-
did, was to propose a standard, to make an
RFC, how to transparently publish the logs
-
for certificates that have been issued.
The idea of the RFC is that every
-
certificate issued is public. This is
implemented in a public, append-only log.
-
So they have a log, they have open APIs,
and they accept every certificate. Then,
-
cryptographically assured, the client like
the browser can verify that this is a
-
publicly logged certificate. And the
entire system is open for all. So you can
-
go to the website, you can
get the source code,
-
you can run your own log for RFC 6962.
-
And everyone is happy.
-
The goals were to detect misbehaving
CAs. As I said,
-
they have their audits, they have their
compliance regulations, and so forth, but
-
not on the certificate level. With
certificate transparency, they become
-
audible by the public, by the browsers.
Everyone can query the logs and see
-
whether or not this particular
certification authority has issued a
-
certificate for google.com.
-
Alright! Upon reading the RFC,
there are three entities
-
which are part of certification
transparency. There are, for one,
-
the logs, which are like giant vacuum
cleaners. They ingest all the certificates
-
which are sent to them, and then
cryptographically sign them and issue the
-
assurance that this specific certificate
has been logged. And this has been issued
-
and has not been tampered with, and so
forth. Then there are monitors. They
-
identify suspicious certificates. Usually,
these are the certification authorities
-
themselves which run those monitors. And
then there are the auditors. The auditors
-
usually are implemented in the browser.
And they verify that the issued
-
certificates are really logged. Looking at
them in detail: the role of the monitor
-
and the auditor is kind of
interchangeable, so a monitor can be an
-
auditor, back and forth. What the monitor
does, it fetches all the certificates.
-
So you have this giant pool of certificates.
They are cryptographically assured which
-
we will see soon. And the monitor just
fetches them all. And they have some form
-
of semantic checking. They can see, has
there been a certificate for my domain,
-
has there been any sub-CA created, which
is able to issue certificates for traffic
-
introspection, and so forth. Also, what
they can then, with this data, do, they
-
can identify misbehaving log operators. I
said, the logs, they are just gigantic
-
hoovers, which collect all the
certificates, and they need auditing, too,
-
of course. They need - they have a
position of power, because they are
-
managing this huge pool of certificates.
And one needs to challenge the log to
-
identify misbehaviour. This can be done by
the monitors, can also be done by the
-
auditors. Every client - right now, it's
implemented in Chrome. Chrome checks for
-
these certification transparency
cryptographically signed blobs. And the
-
browsers and everything, they can verify
the log integrity as well. So in the
-
backend, the log, it creates a hash tree.
This hash tree is signed. We will come to
-
that in a second. I got lost here. So both
monitors and auditors, they query that the
-
log entity is working correctly. It
wouldn't be a good thing if China could go
-
to Google and say them "Hey, we would like
to have this certificate removed." Google
-
could then comply or could not comply but
whether they remove the certificate this
-
would be auditible and this would be
observable to the public. So the good
-
thing is anyone run any software, anyone
of you in this room can run a log entity.
-
You need some kind of access to some
certificates, so whether or not you are a
-
certification authority, you can just run
a public log, and everybody can push their
-
certificates to your service. Right now,
this is not the case. Usually, the CAs run
-
the monitors and they run the logs, but
this is not by design, anybody can run
-
anything. One of the problems is
availability. So even through I can set up
-
a log for certificates, I have the problem
that my log needs to be online 24/7. My
-
ISP is not happy if I ask him to guarantee
this for me, if I don't pay much much much
-
more. So, how does it work? Currently, if
you get a certificate, you go to the
-
certification authority, You say, "hey,
I'm this wonderful domain, please could I
-
get a certificate?" And then you get the
certificate. What's additionally happening
-
with certification transparency is that the
CA upon issuing the certificate - this can
-
be any CA, this can be Let's Encrypt, this
can be Thawte, Symantec, you name it -
-
what they do is they send the certificate
once they issued it, they send the
-
certificate to one of the logs. The log
then signs the successful reception of the
-
certificate, and immediately sends
something back. This blob is called the
-
SCT, the signed certificate timestamp, and
this can then be included in the
-
certificate or with other ways. Key point
here is that once the server installs the
-
certificate, it also installs this SCT, so
that browsers can see it and parse it.
-
Some people I might have lost here.
Nonetheless, everything is easier in
-
pictures. Right now, currently - and these
are the pictures from the certification
-
transparency website, thanks for making
them - my pic skills are really not that
-
good, so I never would have been able to
make such beautiful graphs. So currently,
-
there is the certification authority. It
issues a certificate, and the website then
-
installs it in the correct directory. The
clients check it, and encryption can
-
happen. The additional step, and this is
the nice thing, it can happen without any
-
additional steps on the server side and
the client side, it's just the
-
certification authority needs to do an
additional step. So instead of just
-
issuing the certificate, they send the
certificate to the logs, the log
-
immediately sends back the so-called SCT,
the signed certificate timestamp, and this
-
is then included in the certificate, which
is shipped to the client. And then the
-
client, if it supports it, can ask the
server whether or not this particular
-
certificate is included or not. The things
that come back from the log they are
-
signed, they have an ID, and they have a
timestamp. These are the important things.
-
They need to be included in those SCT.
Also, what will be interesting in the
-
future, that the certificate can have
multiple log entries. So the SCT is like a
-
promise. The log operator promises to
include this certificate in its logs. And
-
everybody can check afterwards then if
this log has really publicly logged, or if
-
the authority has omitted to log it. In
the future it will be the case that many
-
SCTs can be within a certificate. If I'm a
certification authority I can go to any
-
log operator, send them every certificate
I have and then include many, many SCTs.
-
And the SCT is not private. This is just
an ID, it's a timestamp, and it's a
-
signature. This is probably too much.
There's multiple ways for the client to
-
verify that this certificate has an SCT.
So one of the methods for example is OCSP
-
stapling. Right now, if you have a
certificate, instead of going to the CA,
-
the server can staple the OCSP request
signed by the CA. And within this OCSP
-
stapling there can also be the SCT
included. How does it work on the log
-
side? Everything there is, is a Merkle
hash tree. A Merkle hash tree is a
-
wonderful data structure. It's nothing
new, it's nothing fancy, and it's not the
-
blockchain.
-
laughter
-
The Merkle hash tree, it looks, it's a
binary tree. Every node has two children,
-
and the hash value of an inner node
depends on the two children. So usually
-
it's the concatenation of the values of
the two children. Get's hashed again, up
-
to the root. Makes it very space efficient
because if I want to verify the integrity
-
of one entire tree, all I have to check is
the hash value of the root. Then, of
-
course, I can get all the relevant hash
values, and then I can reconstruct it. CT
-
uses SHA256 Merkle tree, and as I said,
everything below a certain node is
-
responsible for the hash value. So if you
remove a node, if you add a node, or if
-
you relocate a node, the hash values of
all the upper nodes get changed. Each of
-
the log operators, additionally to the
promise that they will include every
-
certificate that it receives, it also
gives a promise on the maximum merge
-
delay. The SCT, the promise to include
this certificate chain into the log, it
-
can only finish immediately because it's a
promise to include this into the log. And
-
the maximum merge delay is the time the
log operator promises to include it in the
-
big, big Merkle hash tree. The good thing
about the Merkle hash tree is despite
-
being very space efficient, calculation
efficient, not that much data overhead,
-
and so forth, it's not possible to
backdate elements. This was interesting
-
for one of the certification authorities
which issued SHA1 signed certificates,
-
even though the browsers and everyone
agreed that this should not happen
-
anymore. So it's also not possible remove
elements that have been once in there. So
-
if Symantec decided to remove the
google.com certificate, which was a "test"
-
certificate, this would be noticeable as
well, because if you remove one of the
-
leaves, the hash values up to the root,
they all change. And it's also not
-
possible to add elements. if you would
like to add an element unnoticably, you
-
cannot do this, because the hash values of
all the upper nodes would change. So how
-
do the logs operate? What they usually do
is once every hour, they receive the
-
certificates, and once every hour they
include them into their Merkle hash tree.
-
Probably already too much detail. They
build a separate tree, and then include it
-
and recalculate the root hash value, which
is then signed and shipped. And the nice
-
thing about the Merkle tree is that you
have multiple ways of proving things. One
-
of the things that can be proved whether
or not this log operator is honest. if a
-
log operator removes one of the
certificates, this becomes visible by
-
changing all the relevant nodes. Also,
it's very efficient. Also a figure from
-
the project website. On the left side, you
have a Merkle tree with some added
-
certificates, appended certificates. And
if a monitor or an auditor decides to
-
challenge the log operator, at a later
point in time, whether or not these
-
certificates D6 and D7 have been correctly
added, all the log operator has to send
-
are those highlighted nodes. This is the
root, this is the thing that is signed,
-
for example, every hour. This is public.
The certificates, they are public because
-
like, they're certificates. If now someone
wants to verify that not only these have
-
been included, this is very easy, because
you just have to calculate all the way up,
-
but also verify that all the other
certificates are still there, so none of
-
the old certificates have been removed,
there only needs to be three hash values
-
transmitted. And then the challenger can
re-calculate everything. So as soon as the
-
challenger knows those hash values they
can concatenate everything back together
-
and in the end, it should have the same
hash value as the root. Another proof that
-
is possible is whether a specific
certificate is still in the log. So it's
-
not only possible to challenge the
consistency of the entire log regarding
-
old data, but it's also to verify that a
specific certificate is still in the logs,
-
or made it into the logs. Remember, the
SCT, the thing that finished immediately,
-
is just a promise to include it in the
logs, and at a later point in time,
-
anyone, any auditor can challenge the log
operator if the certificate is really in
-
the log. So again, if I want to verify
that a specific certificate is in the log
-
I have the certificate that I would like
to challenge, then I just need, in this
-
example, those three nodes, and everything
else, the j node can be calculated because
-
I have the certificate. Then I have the
hash of the certificate. I need this hash,
-
then I can calculate this value, and so
forth, until I am at the root. So much for
-
under the hood. Merkle hash trees are
gone. One of the problems of those logs
-
are they are every growing. You might have
noticed, there is not a single word about
-
deleting certificates, for valid reasons,
they are ever growing. Of course, nothing
-
is forever, so what log operators do is
that they rotate the logs. So at a
-
specific point in time, the log gets
frozen, the tree is then static, and there
-
is another log entity, which is brough
online and used for, including the newer
-
certificates. Quite recently, aviator from
Google got frozen.
-
It contains 46 million certificates.
-
Small drawback of freezing a
log: as long as one certificate in this
-
log, in this three is still valid, this
log needs to be reachable. As soon as all
-
the certificates have been expired, it can
be dumped. But until that it has to be
-
available for the proofs.
-
One of the issues is that right now
there are just a few log operators.
-
In the future, there should
be many more. Not hundred-thousands of
-
them, but maybe hundreds of them. And they
need to exchange information. Some form of
-
log chatter should appear. The log
operators chatter with the clients to
-
verify that they all see the same state of
the Merkle trees. And this has been
-
published in a paper last year. Right now,
the idea is not yet at a level where they
-
need to chatter, which we will soon see.
This happens when you create memes on the
-
train. Usually, they are very bad memes.
This is apparently Gossip Girl, I've never
-
seen it, but if you google gossip and
meme, ta-da!
-
laughter
-
Who now runs the logs? Who are the
entities who are actively running logs. Of
-
course, Google is running the majority of
them. They proposed the entire thing, they
-
wrote the code to run these things, and
they run the large, open-for-all
-
certificate logs. Three of them are
currently open-for-all. Another one is for
-
Let's Encrypt certificates, and another
one is for non Let's Encrypt certificates.
-
Of course, Let's Encrypt issues a lot of
certificates., thankfully. So they
-
separated that, apparently. If you read
the mailing list, they promise that these
-
free open-for-all logs are separated
geographically and administratively. The
-
are run by different entities, but they
all have the same boss, and it would be
-
better if there were more open logs.
Symantec has one, Wosign, CNNIC. Everytime
-
Google detects that a fraudulent
certificate for google.com has been
-
issued, those certification authorities
are mandated to run CT. Which is a good
-
thing, I mean, public and everything.
Google has tens of millions of
-
certificates. They really have an
open-for-all log, so everyone can push
-
certificates in there. DigiCert, Symantec
is kind of big, but all the other nodes
-
which are listed on the website, they have
a hundred-thousand-ish certificates, which
-
is not that much compared to 50 million or
60 millions. Right now, Google already
-
mandates certification transparency for
extended valiity certificates, so if you
-
not only see the green text up in the left
corner of your browser, but also some
-
fancy name and big, big green whatever,
this is an EV cert. And Google mandates
-
for EV certs to have two SCTs. Firefox is
in the process of including it, I think.
-
Also, apparently, certificate transparency
works. Because, when Symantec issued this
-
certificate for google.com they released a
report stating that they found 23 "test"
-
certificates. Symantec said that it issued
23 test certificates. But the logs are
-
public, anybody can query them. And within
seconds, you can see that Symantec issued
-
another 164 certificates for other
domains, and also 2,500 certificates for
-
non-exisisting domains. Just regarding
this one issue. I need to hurry, time is
-
running out. Some of the downsides of
certificate transparency. Of course:
-
privacy. People can learn your internal
hosts, so if you have NAS for example, and
-
this NAS is only reachable within your
LAN, and you want to get rid of the
-
browser warning whenever you access the
interface of your NAS, you can get a Let's
-
Encrypt certificate but since not only the
certificate is published, but also it's
-
logged, people can see in the public log
file that there is, for your domain, a
-
NAS. Also, log entries must contain the
entire chain up to a trusted root
-
certificate, which excludes everything
which is self-signed, and everything which
-
is DANE. DANE is for verifying TLS
certificates using DNSsec. And since these
-
two have no trusted root, they are currently
not working for certificate transparency.
-
Now, of course you want to see the data.
You're gonna play around with this.
-
Basically, what you can query, everything
is JSON. So, if you know JSON, you can
-
work with certificate transparency. The
basic URL is like this. The URL is any log
-
server, responds with the current root and
it's signature, using this URL. Most
-
interestingly, it gives you also the
number of certificates and the time stamp.
-
It looks then like this. JSON, so you
have, this is the aviator log from Google,
-
which is now frozen. Has 46 something
million certificates, the hash value of
-
the Merkle tree, and the signature. Also,
you can challenge the certification logs
-
with consistency proofs, where you have
two states of their tree, and the log has
-
to prove that it did not modify anything
in between them. And of course, you can
-
verify that specific certificate is in the
tree with the second URL. And you can just
-
push certificates there with a POST
request. So you push it, they send back
-
the SCT, if you're the log operator, then
you would include this. Any website which
-
right now is not using SCT all it takes is
a POST request. Nothing more. Some screens
-
from the internals. This is for google.com
in the net internals view. What you can
-
see is that signed certificate timestamp,
the SCT, is received. It is valid. And
-
compliance is checked. So this was for
google.com. And everything worked out.
-
Last but no least, just to mention it,
Comodo operates a large search engine,
-
crt.sh. There you can query public logs.
Also, Facebook recently added a monitor
-
for certificates. So if you own a domain
name, and you use an entity which - no if
-
you own a domain, you can get updates if
the certificate changes. The also monitor
-
the public logs and as soon as, for
example, facebook.com uses a new
-
certificate that is logged in CT, you can
get a notification for that. This is what
-
it looks like. Remember, Facebook can also
send PGP-encrypted mails, then nothing
-
leaks to anyone. This screenshot was
borrowed from Scott Helme. So, what's
-
next? Just a few - One month ago, Google
announced that it will mandate certificate
-
transparency from October 2017 on. So if
you run a website which is secured by TLS
-
you might want to check before that date
whether or not your certification
-
authority is using certificate
transparency. I would expect to have more
-
logs and more certificates included in the
logs. In the far future, basically, the
-
idea of transparency and this Merkle tree
is open for anything. You could put key
-
management software releases, anything in
there. The team at Google, they also
-
builded a prototype for that, called
Trillian, and described in the paper
-
"Verifiable Data Structures".
-
Before we
come to the end and questions,
-
laughter
-
applause
-
There is a distinction. Of course, you
could solve this problem with blockchain
-
as well. But a Merkle hash tree is much
more efficient, much more elegant. When I
-
talked to a colleague on the train here,
he said, of course, you can just push the
-
log into the blockchain.
Yeah, not the same thing.
-
Thank you!
-
applause
-
Herald: Thank you Martin for a very
interesting talk! We have a few more
-
minutes left for Q&A, so if you have a
question, please line up next to the
-
microphones, and ask your question.
Remember: a question has a question mark
-
at the end. Also, if you're exiting,
please do so silently and from the front
-
door, thank you. I think we have a
question over there:
-
Q: Can you recommend some libs or software
where I can accomplish the TLS handshake
-
from the client side, so I can get the
SCT, via TLS extension, via OCSP
-
extension, via the inherited
pre-certificate SCT.
-
M: Not by heart. I mean, if it's part of
TLS certificate anything will go, OpenSSL,
-
whatever, it's just a field. Same as for
OCSP, so anything that does OCSP will
-
include it, it's just that clients that do
not know the extension will just not -
-
they will ignore it. But anything that
does OCSP or SSL handshake will work.
-
H: Thank you. Question from this microphone.
-
Q: Hello, thank you very much for the nice
talk. Do you know how much space is needed
-
to store all the logs currently?
-
M: I had the same question, but
unfortunately not. What they store is the
-
tree, and they store the entire chain,
excluding the root certificates. So,
-
probably two, three, four certificates per
entry, which is like - I think you can buy
-
at the regular electronic markets a hard drive
which is able to fit a lot of those entries.
-
H: Next question from that mic.
-
Q: Yeah, thank you for the talk. Why do
you need two SCTs for extended validation?
-
M: Because a single entity might cheat. So
it's like - even though you can detect it,
-
it's still a timeframe left. And if you
have two SCTs, which are operated
-
independently, the idea is it's not that
likely that the two will collaborate
-
to make a certificate disappear.
-
Q: Thanks!
-
H: That microphone, yes.
-
Q: I'm actually a bit surprised, because
Google has been pushing for making the
-
server HELLO as small as possible, and of
course, this is increasing the server
-
HELLO with, in this case, an SCT, and of
course, they are also doing OCSP stapling,
-
so that makes it even bigger. And this is
like a SHA256, so we're talking 256 bits
-
there, plus another one you said that, you
know, one is not enough. Actually I've
-
never seen that has more than one SCT.
Have you?
-
M: No.
-
laughter
-
Not yet.
-
Q: I've looked around, but nothing.
-
M: Yeah.
-
Q: It's actually increasing the size. And
I'm just wondering, where is this going.
-
Are we just gonna eat the costs of having
all these SCTs and OCSP stapling? Are we
-
prepared to eat that cost?
-
M: I think the cost is small compared to
the gain you get by HTTP2. So if you pipe
-
anything to one singular connection. I
think it's not bad of a cost anymore. But
-
of course, this is a policy thing. To
require a certain amount of SCTs, to
-
prevent fraudulent CAs.
-
Q: Is the idea that this will replace
something like the SSL observatory, where
-
browsers send in certs they see, and then
- you nodded, so I assume yes. And then
-
also, how does this work for people who
can't have their certs be public?
-
For people who are like issuing
things for internal networks?
-
M: If you can't have the certificate
public, probably the better way right now
-
is to have a certification authority which
is not using CT. In the future, it makes
-
it much more expensive to operate your own
CA, incorporate it in the trust stores.
-
But of course, this is costly. You have to
sign the certificate and everything.
-
Q: But if like in October 2017, when
Chrome rejects all certs that don't have
-
signed timestamps like what do I do?
-
M: Use Edge.
-
laughter
-
I'm sure you can disable it somehow,
but it's blerg.
-
Q: What about if someone tries SCT with
DHT or other system.
-
Not blockchain, of course!
-
It's possible to do that without
central authorities?
-
M: Sorry, say again?
-
Q: My English is very bad, I'm sorry. I
said, it is possible to do that without
-
some central authority, like Google
or over SCT, but
-
with a distributed hash table,
like DHT technologies,
-
M: Yes, yes, of course.
-
Q: And are there existing implementations?
-
M: For the centralized thing, yes. Not for
the distributed thing. But I think it's
-
just adding a layer of DHT on top of it.
So I'm sure you can think of a browser
-
extension which uses the DHT to obtain
SCT. But right now it's just purely
-
centralized. But the source is open.
-
Q: OK, thank you.
-
Q: I was just curious how it works if you
have a certificate which gets revoked, in
-
context of the tree. Especially if the
tree is frozen. So how does this work?
-
How do you revoke a certificate with a
tree, and then how does it work if it's
-
frozen already.
-
M: Good question! The goal of CT is not
- it's not about revocation. So whether
-
revocation path is taken regularly. So you
ask OCSP. It's independent of the
-
revocation thing. It's just publicly
saying that this certificate has been
-
issued. So removing a certificate from the
tree, which has been removed - revoked, is
-
not part of the specification. This is not
the use case. It's just logging the
-
certificates which have been issued.
-
Q: But if you audit all the logs, and you
want to know if something is, like going
-
on that shouldn't be going on, wouldn't
you want to know whether the certificate
-
has been revoked at some point?
-
M: Yes, but not in the logs. The logs are
just to prove that the CA has issued this
-
certificate, and to prove that the log has
correctly logged it. Revocation is
-
different. Usually, OCSP stapling with the
CA, but that's a different channel. So
-
this is not for certificate transparency.
-
Q: Thank you!
-
H: That's all the time we have for Q&A.
-
Big round of applause again for
Martin for a great talk!
-
applause
-
postroll music
-
subtitles created by c3subtitles.de
in the year 2017. Join, and help us!
