< Return to Video

Everything you always wanted to know about Certificate Transparency (33c3)

  • 0:00 - 0:13
    33c3 opening theme music
  • 0:13 - 0:20
    Herald: I'm excited to be here, I guess
    you are too. We will get started with our
  • 0:20 - 0:27
    first talker for the day. He is a security
    researcher at SBA Research, and he's also
  • 0:27 - 0:33
    a member of CCC Vienna. The talk we'll be
    hearing today is "Everything you always
  • 0:33 - 0:37
    wanted to know about Certificate
    Transparency" and with that, I will pass
  • 0:37 - 0:42
    on the stage, please give a warm welcome
    to Martin Schmiedecker!
  • 0:42 - 0:46
    applause
  • 0:49 - 0:54
    Martin: Thank you very much for these kind
    words and this very nice introduction.
  • 0:54 - 0:59
    As Ari said, I'm a member of CCC Vienna,
    I'm also on twitter, so if you have a
  • 0:59 - 1:03
    comment afterwards, or want to ping me, if
    you find a typo in the slides, or
  • 1:03 - 1:05
    whatever, just ping me on twitter.
  • 1:05 - 1:09
    So, what is this talk about? What are we going
  • 1:09 - 1:13
    to talk about? Certificate Transparency
    is kind of a new thing in the TLS
  • 1:13 - 1:20
    ecosystem so not many people are familiar
    that it is here. So I will present the
  • 1:20 - 1:25
    overview, what is CT and what it does and
    will also peek under the hood and see what
  • 1:25 - 1:32
    it actually does, how it works, and how
    you can play with it. So one of the things
  • 1:32 - 1:38
    I have to say about myself: I'm a keen fan
    of Internet memes. So even though these
  • 1:38 - 1:45
    are hilarious pictures. Personally I find
    hilarious pictures that I put online. Keep
  • 1:45 - 1:49
    in mind that HTTPS is a serious topic.
    Whether you do net banking, you're
  • 1:49 - 1:54
    googling, or whatever you do online, HTTPS
    is there to protect your privacy and to
  • 1:54 - 2:00
    protect your security. And in some states,
    this has been shown by history, this is
  • 2:00 - 2:05
    not a case, so there are nation-wide
    introspecting devices which break open the
  • 2:05 - 2:11
    TLS encryption and look at the content.
    And people will get a visit from secret
  • 2:11 - 2:16
    police or anything and they will knock on
    their door and arrest them. Just like this
  • 2:16 - 2:22
    week happened in Turkey, where people got
    arrested for posting things on Facebook.
  • 2:22 - 2:26
    So even though there are some funny
    pictures in there keep in mind that this
  • 2:26 - 2:34
    is just a means to an end for my
    presentation. I personally find HTTPS is a
  • 2:34 - 2:39
    very important topic. I hope I can
    convince you, too. And CT in particular is
  • 2:39 - 2:47
    fascinating. Why is there something like
    Certificate Transparency? The name says it
  • 2:47 - 2:53
    all: if you are a certification authority,
    you want to make public the certificates
  • 2:53 - 3:00
    you sell or you issue. As with many good
    stories and many good tools it all started
  • 3:00 - 3:06
    with a hack. Back in 2011 there was this
    Dutch certification authority called
  • 3:06 - 3:11
    DigiNotar, and they got pawned. They got
    really, really badly fisted.
  • 3:11 - 3:12
    laughter
  • 3:12 - 3:18
    They lost everything. They lost all their
    crown jewels. And as part of this hack,
  • 3:18 - 3:24
    there were 500-something fraudulent
    certificates issued. And not just any
  • 3:24 - 3:27
    certificates, not just like Let's Encrypt,
    where you can get a free certificate, and
  • 3:27 - 3:32
    and then use it for your internal systems,
    or for your web site, or whatever. No,
  • 3:32 - 3:39
    really, really high value domains and high
    value certificates. Like google.com, very
  • 3:39 - 3:43
    privacy-invasive, if you can read what
    people are googling, or what they are
  • 3:43 - 3:48
    sending in their emails.
    windowsupdate.com, which is like the back
  • 3:48 - 3:56
    door to some of the windows world.
    mozilla.com, the attacker could manipulate
  • 3:56 - 4:03
    the Firefox download, sign it with the
    certificate and ship it over a
  • 4:03 - 4:11
    secure-seeming website. torproject, and so
    forth. This was back in 2011 and this was
  • 4:11 - 4:19
    not just a small incident it hasn't been a
    small CA but it was a regular CA with regular
  • 4:19 - 4:25
    business. What's more on this hack is
    that: These certificates have then been
  • 4:25 - 4:30
    used to intercept communication of
    clients. People browsing the web, reading
  • 4:30 - 4:35
    their email. The company which
    investigated the breach afterwards found
  • 4:35 - 4:42
    out that at least 300.000 IP addresses
    were connecting to google.com and were
  • 4:42 - 4:50
    seeing this fraudulent cert. 99% of which
    where from Iran. So it was kind of a
  • 4:50 - 4:57
    nation state attack against clients of
    either ISP based or border gateway based
  • 4:57 - 5:04
    where people were thinking they were
    browsing secured by HTTPS but they were
  • 5:04 - 5:12
    actually not. This is a wonderful frame
    from the video. The guys from Fox IT which
  • 5:12 - 5:20
    investigated this breach they used the
    OCSP requests. Every time you get a
  • 5:20 - 5:23
    certificate your browser has to somehow
    figure out whether or not this certificate
  • 5:23 - 5:31
    is still valid. If it has been revoked, it
    would be nice to not use it anymore. And
  • 5:31 - 5:38
    one of the approaches which is used is so
    called OCSP, so the client asks the
  • 5:38 - 5:46
    certificate authority: "hey is this still
    valid?" And this has been logged. Each of
  • 5:46 - 5:53
    these requests is one of the clients
    seeing this fraudulent certificate and
  • 5:53 - 6:00
    asking DigiNotar: "Hey, is this cert still
    valid?" And as you can see, most of the
  • 6:00 - 6:04
    connections - it's actually a movie, so
    you can see the lights flickering and
  • 6:04 - 6:09
    popping up and down as people go to sleep
    and wake up again. And most of the
  • 6:09 - 6:16
    people were from Iran. So how did
    DigiNotar got hacked? They got really,
  • 6:16 - 6:21
    really, badly hacked because they had
    vulnerabilities everywhere. They had a
  • 6:21 - 6:27
    system running which was incomprehensibly
    insecure for a certification authority.
  • 6:27 - 6:32
    People think that if you run a
    certification authority you build the
  • 6:32 - 6:37
    foundation for secure communication
    online. You are the one securing Internet
  • 6:37 - 6:43
    communication. And if you run such an
    entity, people think you know security.
  • 6:43 - 6:44
    Actually,
  • 6:44 - 6:46
    laughter
  • 6:46 - 6:52
    actually, DigiNotar did not. They had unpatched
    software, which was facing the Internet.
  • 6:52 - 6:56
    Might happen. They didn't have anti-virus
    on the machines that issued the
  • 6:56 - 7:02
    certificates. The didn't have a strong
    password for their admin account. So like
  • 7:02 - 7:05
    "password" or "admin". Actually, you can
    read the report online, and the
  • 7:05 - 7:12
    recommendations from ENISA, the European
    security body, they listed all the things
  • 7:12 - 7:19
    that have been found and identified. Also,
    all the certificate-issuing servers were
  • 7:19 - 7:27
    in one Windows domain. Also kind of bad
    from DigiNotar: they kept the incident
  • 7:27 - 7:32
    secret. Of course, they did not want to
    spread out onto the Internet "hey, we got
  • 7:32 - 7:38
    hacked, and we have had bad security".
    They kept this incident hidden
  • 7:38 - 7:40
    for more than 2 months.
  • 7:40 - 7:45
    After 2 months, when it got
    public, and when the Internet found out,
  • 7:45 - 7:50
    that actually something really, really bad
    had happened, they found out, and
  • 7:50 - 8:00
    DigiNotar then went bankrupt. That's the sad
    ending of the story. But this is not one
  • 8:00 - 8:06
    of the problems that certification
    authorities face. If you run a
  • 8:06 - 8:11
    certification authority, you issue
    certificates based on the identify of your
  • 8:11 - 8:17
    customers. You can create sub-root CAs, so
    you can say Hey, Martin, he looks like a
  • 8:17 - 8:23
    nice guy, he looks like he knows security,
    let's make him a CA and make him verify
  • 8:23 - 8:32
    identities. Probably not a good idea, but
    this is what the business model of HTTPS
  • 8:32 - 8:37
    and certification authorities is. They
    issue certificates and they grant the
  • 8:37 - 8:45
    permission to issue certificates as well.
    And the entire goal of these companies is
  • 8:45 - 8:51
    to get into the trust stores. Every
    browser, every operating system, every
  • 8:51 - 8:57
    thing connects over TLS has something
    called like trust store, where it stores
  • 8:57 - 9:02
    the entities that are entitled to issue
    certificates. And the problem is, those
  • 9:02 - 9:07
    CAs are not strictly audited. They have
    their requirements that they have to
  • 9:07 - 9:13
    fullfil. They have to show that they have
    some kind of security. But afterwards,
  • 9:13 - 9:18
    once they're certified, and once they're
    in the trust stores, there is not such a
  • 9:18 - 9:23
    strong incentive to audit them, because
    they are already in the trust stores, and
  • 9:23 - 9:31
    they've had their audits, and so forth.
    This can lead to many problems. Another
  • 9:31 - 9:39
    CA, Trustwave, in 2011, it issued sub-CA
    certificates. Anyone with a sub-CA
  • 9:39 - 9:46
    certificate can issue a TLS certificate
    for any domain. They used it for traffic
  • 9:46 - 9:50
    introspection. So they were selling, I
    don't know, to a company, which was
  • 9:50 - 9:56
    building appliances which can break open
    the network connections for banks,
  • 9:56 - 10:05
    companies, or entire ISPs. They can look
    into the traffic of it's users. Also,
  • 10:05 - 10:12
    there was Lenovo SuperFish, wonderful
    idea. SuperFish was a local
  • 10:12 - 10:17
    man-in-the-middle CA, and the goal of the
    SuperFish CA was to break open HTTPS
  • 10:17 - 10:21
    traffic, so that they can inject ads.
  • 10:21 - 10:22
    laughter
  • 10:22 - 10:27
    Even though you're using gmail and you
    have this nice, slick interface without
  • 10:27 - 10:34
    obvious ads, SuperFish would break open
    this connection, would be trusted by the
  • 10:34 - 10:44
    browser, and would have huge overlay ads.
    Lenovo stopped cooperating with SuperFish.
  • 10:44 - 10:52
    This was preinstalled on Lenovo notebooks.
    They had a local CA installed on the
  • 10:52 - 10:58
    system so they could inspect the traffic
    and show ads to users. What's even more
  • 10:58 - 11:03
    interesting is that all these CAs had the
    same key, and the private key was in RAM.
  • 11:03 - 11:13
    So anybody could extract the private key
    of the CA, use it to sign certificates for
  • 11:13 - 11:20
    anything, and have an additional layer of
    HTTPS injection, where you could not only
  • 11:20 - 11:27
    show ads, but also read the emails or do
    whatever you want. Very bad. They're not doing it
  • 11:27 - 11:35
    allegedly anymore. Then there was, in
    China, the CNNIC, they issued a sub-CA for
  • 11:35 - 11:39
    an introspection company. Again the
    company wanted to sell appliances where
  • 11:39 - 11:46
    they could break open HTTPS connections
    and look into the traffic of the users.
  • 11:46 - 11:51
    And there was another incident just this
    year: Symantec was issuing "test"
  • 11:51 - 11:57
    certificates to a company or whatever,
    among them google.com, opera.com, things
  • 11:57 - 12:04
    that you probably not would like to test,
    and got caught. And the nice thing about
  • 12:04 - 12:09
    this incident is: they already had
    Certificate Transparency installed. And we
  • 12:09 - 12:15
    will come back to this incident in a
    minute. Traffic introspection is a valid
  • 12:15 - 12:22
    thing. If you have a fleet of planes, and
    they are connected via expensive satellite
  • 12:22 - 12:27
    connections and you really pay a lot for
    bandwidth you would like to block, for
  • 12:27 - 12:33
    example, Netflix, or anything which causes
    a lot of traffic. One of the approaches
  • 12:33 - 12:40
    which was taken by Gogo, they had traffic
    introspection devices in their planes and
  • 12:40 - 12:49
    they issued not-trusted certificates to
    inspect the traffic. Bad for them:
  • 12:49 - 12:55
    Adrienne Porter Felt who works for Google
    noticed this and Gogo is not doing this
  • 12:55 - 13:02
    anymore. And even though traffic
    introspection sounds like a really bad
  • 13:02 - 13:08
    thing, I can think of use cases where this
    is legit. If you run a company, if you run
  • 13:08 - 13:15
    a bank, and you want to prevent people
    from leaking data, this can be OK. But it
  • 13:15 - 13:18
    has to be transparent, people have to know
    that this is happening, that they're
  • 13:18 - 13:23
    inspecting everything. And still won't
    prevent people from carrying out the USB
  • 13:23 - 13:30
    thumb drive with all the data on it. So
    this is the big picture why we need
  • 13:30 - 13:35
    Certificate Transparency. We would like to
    see which certificates have been issued by
  • 13:35 - 13:43
    a specific CA. Some minor issues, not
    really minor, that additionally come to
  • 13:43 - 13:49
    play are that TLS has it's issues
    nonetheless whether these certificates are
  • 13:49 - 13:55
    issued or not. One of them is certificate
    revocation is tricky. It's not as easy as
  • 13:55 - 14:01
    just saying "this certificate is not valid
    anymore". Once a certificate is issued, it
  • 14:01 - 14:08
    is valid until the date shown in the
    certificate, which can be three years.
  • 14:08 - 14:12
    Happens to be, if on the first day of
    using this certificate, people notice,
  • 14:12 - 14:18
    "uh, we should revoke it", clients that
    don't get this update will be able to use
  • 14:18 - 14:28
    this certificate for two and more years.
    Also, another limitation is that all CAs
  • 14:28 - 14:35
    can issue certificates for all websites.
    Any of those 1,800 CAs and sub-CAs which
  • 14:35 - 14:42
    were in trust stores in 2013 they can all
    issue a certificate for google.com or
  • 14:42 - 14:47
    facebook.com. This is not prevented by any
    means but social means and contracts,
  • 14:47 - 14:55
    which state that they have to check the
    legitimacy of the request. This was
  • 14:55 - 15:03
    published in a paper in 2013. There are
    more than 1,800 CAs which can sign
  • 15:03 - 15:10
    certificates for any domain in regular
    user devices. Another paper in 2014 found
  • 15:10 - 15:16
    out that one third of them, one third of
    those 1,800 certification authorities,
  • 15:16 - 15:21
    never issued a single HTTPS certificate.
    This makes you wonder: why are they then
  • 15:21 - 15:27
    in the trust stores and so forth. You can
    claim a certain percentage of them they
  • 15:27 - 15:34
    are used for issuing private certificates
    within networks. Still, one third of them
  • 15:34 - 15:44
    never issued a publicly obtainable HTTPS
    certificate. Then of course there the
  • 15:44 - 15:49
    implementation issues. TLS has a long
    history of implementation flaws. Not just
  • 15:49 - 15:54
    cryptographic, there's logjam, freak,
    poodle, whatever. They are a completely
  • 15:54 - 16:02
    separate issue. But the implementation
    issues are troubling the device security
  • 16:02 - 16:07
    at a constant pace. Famous example is:
    "goto fail;" from iOS, where they had an
  • 16:07 - 16:13
    additional "goto fail" missing bracket and
    the certificate validity wasn't checked.
  • 16:13 - 16:20
    Also, we have a lot of embedded devices.
    Once they're powered up, they're used to
  • 16:20 - 16:25
    generate their private key, and they have
    no access to good entropy. Entropy on
  • 16:25 - 16:33
    embedded devices is surprisingly hard. So
    a lot of them generate the same keys. And
  • 16:33 - 16:37
    as already mentioned, we have different
    trust stores per browser, per operating
  • 16:37 - 16:42
    system. Everyone has a different trust
    base. Also of course, every CA tries to
  • 16:42 - 16:47
    get access into all of the trust stores,
    get shipped with system updates to be
  • 16:47 - 16:55
    trusted, and we have a diversity which is
    not natural. Could be much easier if
  • 16:55 - 17:01
    people would have the same trust base on
    all their devices. And there are plenty of
  • 17:01 - 17:08
    deployment issues. SSLv2: everybody thinks
    it dead, but apparently, it's not.
  • 17:08 - 17:12
    Sebastian Schinzel will give a splendid
    presentation two hours from now about the
  • 17:12 - 17:19
    DROWN attack. The DROWN attack uses SSLv2
    weaknesses in email transport. Simply
  • 17:19 - 17:27
    because it's activated, and it uses the
    same key, you can attack top-notch TLS 1.2
  • 17:27 - 17:33
    encryption, because this is still here.
    There's the whole shmafoo of the SHA1
  • 17:33 - 17:38
    certificates. Certification authorities
    are not supposed to issue any SHA1
  • 17:38 - 17:42
    certificates anymore. Some do, some get
    caught, because they back-dated their
  • 17:42 - 17:47
    certificates, and so forth. It's a mess.
    Then there's cypher suites. There are more
  • 17:47 - 17:55
    than 500 cypher suites available for the
    different versions of TLS. Every admin
  • 17:55 - 18:00
    would like to be [as] secure as possible
    but which should he choose. As soon as
  • 18:00 - 18:05
    there is money involved, like Amazon, they
    need to be compatible with Internet
  • 18:05 - 18:16
    Explorer 6 and so forth. It's really a
    mess. And of course, email STARTTLS: Email
  • 18:16 - 18:22
    never had the design to incorporate
    security and authentication, so as always,
  • 18:22 - 18:28
    they just popped it on top, and this is
    STARTTLS. The problem with STARTTLS is it
  • 18:28 - 18:33
    can be suppressed and people will fall
    back to plaintext if they cannot reach the
  • 18:33 - 18:40
    service with STARTTLS. Perfect forward
    secrecy and so forth, deployment is another
  • 18:40 - 18:47
    topic which can be a talk about. And there
    is this troublesome development that the
  • 18:47 - 18:52
    CAs, they get bought and they get sold
    constantly. Just this year, Symantec
  • 18:52 - 19:00
    bought the company BlueCoat. Symantec is
    one of the larger CAs. They run the entire
  • 19:00 - 19:07
    - not the entire, but they run large parts
    of the certifications that are observable.
  • 19:07 - 19:13
    BlueCoat got popular in the Arab Spring,
    because they found BlueCoat proxies which
  • 19:13 - 19:19
    are capable using man-in-the-middle
    attacks to conduct traffic introspection,
  • 19:19 - 19:23
    have been used at an ISP I think in Syria
    or Egypt. They found them, and they have
  • 19:23 - 19:29
    been deployed nationwide. So if you think
    about it that Symantec, one of the largest
  • 19:29 - 19:35
    CAs, is buying BlueCoat, one of the larger
    traffic introspection companies, things
  • 19:35 - 19:39
    can look really fishy or scary.
  • 19:40 - 19:44
    Of course they promised they
    would never use the Symantec
  • 19:44 - 19:47
    laughter
  • 19:47 - 19:53
    This is the state we're in. This is fine,
    but it's not. But people still think about
  • 19:53 - 20:00
    it that HTTPS is safe. And actually it
    took a decade to teach people that they
  • 20:00 - 20:05
    have to search for the lock icon. But if
    they do not understand - actually they do
  • 20:05 - 20:12
    not know how the lock icon appears. But
    the entire lock icon is a farce if you dig
  • 20:12 - 20:21
    into the details. We're all sitting in a
    room filled with flames, so to say. So,
  • 20:21 - 20:27
    this is where certificate transparency
    comes in. Certificate transparency has the
  • 20:27 - 20:38
    goal to identify fraudulent certification
    authorities. In a perfect world, any
  • 20:38 - 20:43
    certification authority would publish all
    it's logs, would publish all the
  • 20:43 - 20:49
    certificates it issues. So as soon as I
    get a certificate for schmiedecker.net,
  • 20:49 - 20:54
    the certification authority - this is part
    of the public/private key, it can be
  • 20:54 - 21:00
    public - so wouldn't it be nice if the CA
    would publish that it just issued a
  • 21:00 - 21:06
    certificate for schmiedecker.net?
    Basically: yes. Of course, certification
  • 21:06 - 21:11
    authorities do not want this to happen, in
    particular if they're selling to funky
  • 21:11 - 21:18
    states or funky businesses which earn
    their money with traffic introspection and
  • 21:18 - 21:24
    so forth. So the perfect world would be
    the public key of each certificate would
  • 21:24 - 21:28
    be published. The certification authority
    could say "Hey, I just issued this
  • 21:28 - 21:31
    certificate" and everybody could see it,
    could verify it
  • 21:31 - 21:35
    and it would be, well, a better world.
  • 21:38 - 21:43
    This would help to detect
    problems very early. So if a small Dutch
  • 21:43 - 21:47
    certification authority would issue a
    certificate for google.com or
  • 21:47 - 21:52
    torproject.com, this would be noticeable.
    I mean, this is a small CA, they would be
  • 21:52 - 21:57
    really - they should be really surprised
    if google.com decides to issue a
  • 21:57 - 22:05
    certificate for their service. This would
    shorten the window of opportunity for an
  • 22:05 - 22:13
    attacker. Also, the idea is to have some
    form of punishment for misbehaving CAs. So
  • 22:13 - 22:18
    at the moment, right now, if a
    certification authority fucks up, and
  • 22:18 - 22:24
    Google is affected, they mandate that they
    need to have additional steps to be
  • 22:24 - 22:33
    reintroduced into the trust stores. This
    is what Google did. They did the Power
  • 22:33 - 22:42
    Ranger move, and they decided they want to
    make the internet more secure. Why Google?
  • 22:42 - 22:47
    Well, Google is uniquely positioned in a
    way that they control the clients with
  • 22:47 - 22:54
    their browsers with the Android system,
    and they also control a large portion of
  • 22:54 - 22:58
    the servers. Everyone uses Google, except
    for those that use Bing.
  • 22:58 - 23:01
    laughter
  • 23:01 - 23:08
    Just kidding. What Google did is, once the
    DigiNotar hack got public, they pinned
  • 23:08 - 23:14
    their certificates. Since Chrome has a
    decent update cycle they can ship the
  • 23:14 - 23:19
    certificates which they expect to see with
    a browser update. So as soon as [the]
  • 23:19 - 23:28
    browser updates in the background, it can
    enforce the specific certificate that it
  • 23:28 - 23:35
    expects to see for google.com,
    youtube.com, and whatever. Also, it has a
  • 23:35 - 23:40
    really huge market share. 50% and more,
    depending on how you count. Chrome and
  • 23:40 - 23:46
    Chromium are rather popular. And lastly,
    they are a common target. So if some
  • 23:46 - 23:54
    dictator decides to introspect client
    emails, user emails, usually they target
  • 23:54 - 24:00
    gmail.com, because they have a decent
    security, they do not have any other
  • 24:00 - 24:10
    vulnerabilities or backdoors to allow
    access to their content. Which makes the
  • 24:10 - 24:16
    attack to Gmail a very drastic attack.
    With the changes that Google introduced
  • 24:16 - 24:21
    into Chrome with the certificate pinning,
    they can now detect these attacks.
  • 24:21 - 24:30
    But this was already back in 2011. Since
    then, for example, the Porter Felt tweet
  • 24:30 - 24:38
    I showed you, If Chrome would go to a
    website google.com or youtube.com, and
  • 24:38 - 24:44
    would see a fraudulent certificate, they
    would warn the user. And what Google then
  • 24:44 - 24:53
    did, was to propose a standard, to make an
    RFC, how to transparently publish the logs
  • 24:53 - 25:01
    for certificates that have been issued.
    The idea of the RFC is that every
  • 25:01 - 25:11
    certificate issued is public. This is
    implemented in a public, append-only log.
  • 25:11 - 25:17
    So they have a log, they have open APIs,
    and they accept every certificate. Then,
  • 25:17 - 25:22
    cryptographically assured, the client like
    the browser can verify that this is a
  • 25:22 - 25:28
    publicly logged certificate. And the
    entire system is open for all. So you can
  • 25:28 - 25:30
    go to the website, you can
    get the source code,
  • 25:30 - 25:36
    you can run your own log for RFC 6962.
  • 25:36 - 25:41
    And everyone is happy.
  • 25:41 - 25:46
    The goals were to detect misbehaving
    CAs. As I said,
  • 25:46 - 25:52
    they have their audits, they have their
    compliance regulations, and so forth, but
  • 25:52 - 25:55
    not on the certificate level. With
    certificate transparency, they become
  • 25:55 - 26:01
    audible by the public, by the browsers.
    Everyone can query the logs and see
  • 26:01 - 26:05
    whether or not this particular
    certification authority has issued a
  • 26:05 - 26:07
    certificate for google.com.
  • 26:10 - 26:15
    Alright! Upon reading the RFC,
    there are three entities
  • 26:15 - 26:20
    which are part of certification
    transparency. There are, for one,
  • 26:20 - 26:28
    the logs, which are like giant vacuum
    cleaners. They ingest all the certificates
  • 26:28 - 26:34
    which are sent to them, and then
    cryptographically sign them and issue the
  • 26:34 - 26:41
    assurance that this specific certificate
    has been logged. And this has been issued
  • 26:41 - 26:46
    and has not been tampered with, and so
    forth. Then there are monitors. They
  • 26:46 - 26:50
    identify suspicious certificates. Usually,
    these are the certification authorities
  • 26:50 - 26:56
    themselves which run those monitors. And
    then there are the auditors. The auditors
  • 26:56 - 27:03
    usually are implemented in the browser.
    And they verify that the issued
  • 27:03 - 27:10
    certificates are really logged. Looking at
    them in detail: the role of the monitor
  • 27:10 - 27:14
    and the auditor is kind of
    interchangeable, so a monitor can be an
  • 27:14 - 27:21
    auditor, back and forth. What the monitor
    does, it fetches all the certificates.
  • 27:21 - 27:28
    So you have this giant pool of certificates.
    They are cryptographically assured which
  • 27:28 - 27:33
    we will see soon. And the monitor just
    fetches them all. And they have some form
  • 27:33 - 27:40
    of semantic checking. They can see, has
    there been a certificate for my domain,
  • 27:40 - 27:47
    has there been any sub-CA created, which
    is able to issue certificates for traffic
  • 27:47 - 27:54
    introspection, and so forth. Also, what
    they can then, with this data, do, they
  • 27:54 - 28:00
    can identify misbehaving log operators. I
    said, the logs, they are just gigantic
  • 28:00 - 28:05
    hoovers, which collect all the
    certificates, and they need auditing, too,
  • 28:05 - 28:09
    of course. They need - they have a
    position of power, because they are
  • 28:09 - 28:18
    managing this huge pool of certificates.
    And one needs to challenge the log to
  • 28:18 - 28:24
    identify misbehaviour. This can be done by
    the monitors, can also be done by the
  • 28:24 - 28:32
    auditors. Every client - right now, it's
    implemented in Chrome. Chrome checks for
  • 28:32 - 28:43
    these certification transparency
    cryptographically signed blobs. And the
  • 28:43 - 28:47
    browsers and everything, they can verify
    the log integrity as well. So in the
  • 28:47 - 28:57
    backend, the log, it creates a hash tree.
    This hash tree is signed. We will come to
  • 28:57 - 29:06
    that in a second. I got lost here. So both
    monitors and auditors, they query that the
  • 29:06 - 29:11
    log entity is working correctly. It
    wouldn't be a good thing if China could go
  • 29:11 - 29:17
    to Google and say them "Hey, we would like
    to have this certificate removed." Google
  • 29:17 - 29:23
    could then comply or could not comply but
    whether they remove the certificate this
  • 29:23 - 29:28
    would be auditible and this would be
    observable to the public. So the good
  • 29:28 - 29:34
    thing is anyone run any software, anyone
    of you in this room can run a log entity.
  • 29:34 - 29:38
    You need some kind of access to some
    certificates, so whether or not you are a
  • 29:38 - 29:45
    certification authority, you can just run
    a public log, and everybody can push their
  • 29:45 - 29:54
    certificates to your service. Right now,
    this is not the case. Usually, the CAs run
  • 29:54 - 30:00
    the monitors and they run the logs, but
    this is not by design, anybody can run
  • 30:00 - 30:06
    anything. One of the problems is
    availability. So even through I can set up
  • 30:06 - 30:15
    a log for certificates, I have the problem
    that my log needs to be online 24/7. My
  • 30:15 - 30:23
    ISP is not happy if I ask him to guarantee
    this for me, if I don't pay much much much
  • 30:23 - 30:31
    more. So, how does it work? Currently, if
    you get a certificate, you go to the
  • 30:31 - 30:36
    certification authority, You say, "hey,
    I'm this wonderful domain, please could I
  • 30:36 - 30:43
    get a certificate?" And then you get the
    certificate. What's additionally happening
  • 30:43 - 30:50
    with certification transparency is that the
    CA upon issuing the certificate - this can
  • 30:50 - 30:56
    be any CA, this can be Let's Encrypt, this
    can be Thawte, Symantec, you name it -
  • 30:56 - 31:02
    what they do is they send the certificate
    once they issued it, they send the
  • 31:02 - 31:14
    certificate to one of the logs. The log
    then signs the successful reception of the
  • 31:14 - 31:18
    certificate, and immediately sends
    something back. This blob is called the
  • 31:18 - 31:24
    SCT, the signed certificate timestamp, and
    this can then be included in the
  • 31:24 - 31:33
    certificate or with other ways. Key point
    here is that once the server installs the
  • 31:33 - 31:43
    certificate, it also installs this SCT, so
    that browsers can see it and parse it.
  • 31:43 - 31:50
    Some people I might have lost here.
    Nonetheless, everything is easier in
  • 31:50 - 31:54
    pictures. Right now, currently - and these
    are the pictures from the certification
  • 31:54 - 31:59
    transparency website, thanks for making
    them - my pic skills are really not that
  • 31:59 - 32:04
    good, so I never would have been able to
    make such beautiful graphs. So currently,
  • 32:04 - 32:10
    there is the certification authority. It
    issues a certificate, and the website then
  • 32:10 - 32:17
    installs it in the correct directory. The
    clients check it, and encryption can
  • 32:17 - 32:23
    happen. The additional step, and this is
    the nice thing, it can happen without any
  • 32:23 - 32:29
    additional steps on the server side and
    the client side, it's just the
  • 32:29 - 32:34
    certification authority needs to do an
    additional step. So instead of just
  • 32:34 - 32:40
    issuing the certificate, they send the
    certificate to the logs, the log
  • 32:40 - 32:46
    immediately sends back the so-called SCT,
    the signed certificate timestamp, and this
  • 32:46 - 32:52
    is then included in the certificate, which
    is shipped to the client. And then the
  • 32:52 - 32:58
    client, if it supports it, can ask the
    server whether or not this particular
  • 32:58 - 33:06
    certificate is included or not. The things
    that come back from the log they are
  • 33:06 - 33:11
    signed, they have an ID, and they have a
    timestamp. These are the important things.
  • 33:11 - 33:18
    They need to be included in those SCT.
    Also, what will be interesting in the
  • 33:18 - 33:27
    future, that the certificate can have
    multiple log entries. So the SCT is like a
  • 33:27 - 33:36
    promise. The log operator promises to
    include this certificate in its logs. And
  • 33:36 - 33:40
    everybody can check afterwards then if
    this log has really publicly logged, or if
  • 33:40 - 33:45
    the authority has omitted to log it. In
    the future it will be the case that many
  • 33:45 - 33:53
    SCTs can be within a certificate. If I'm a
    certification authority I can go to any
  • 33:53 - 34:00
    log operator, send them every certificate
    I have and then include many, many SCTs.
  • 34:00 - 34:04
    And the SCT is not private. This is just
    an ID, it's a timestamp, and it's a
  • 34:04 - 34:13
    signature. This is probably too much.
    There's multiple ways for the client to
  • 34:13 - 34:21
    verify that this certificate has an SCT.
    So one of the methods for example is OCSP
  • 34:21 - 34:26
    stapling. Right now, if you have a
    certificate, instead of going to the CA,
  • 34:26 - 34:34
    the server can staple the OCSP request
    signed by the CA. And within this OCSP
  • 34:34 - 34:44
    stapling there can also be the SCT
    included. How does it work on the log
  • 34:44 - 34:48
    side? Everything there is, is a Merkle
    hash tree. A Merkle hash tree is a
  • 34:48 - 34:53
    wonderful data structure. It's nothing
    new, it's nothing fancy, and it's not the
  • 34:53 - 34:54
    blockchain.
  • 34:54 - 34:56
    laughter
  • 34:56 - 35:05
    The Merkle hash tree, it looks, it's a
    binary tree. Every node has two children,
  • 35:05 - 35:11
    and the hash value of an inner node
    depends on the two children. So usually
  • 35:11 - 35:15
    it's the concatenation of the values of
    the two children. Get's hashed again, up
  • 35:15 - 35:20
    to the root. Makes it very space efficient
    because if I want to verify the integrity
  • 35:20 - 35:28
    of one entire tree, all I have to check is
    the hash value of the root. Then, of
  • 35:28 - 35:36
    course, I can get all the relevant hash
    values, and then I can reconstruct it. CT
  • 35:36 - 35:45
    uses SHA256 Merkle tree, and as I said,
    everything below a certain node is
  • 35:45 - 35:52
    responsible for the hash value. So if you
    remove a node, if you add a node, or if
  • 35:52 - 36:02
    you relocate a node, the hash values of
    all the upper nodes get changed. Each of
  • 36:02 - 36:07
    the log operators, additionally to the
    promise that they will include every
  • 36:07 - 36:12
    certificate that it receives, it also
    gives a promise on the maximum merge
  • 36:12 - 36:19
    delay. The SCT, the promise to include
    this certificate chain into the log, it
  • 36:19 - 36:26
    can only finish immediately because it's a
    promise to include this into the log. And
  • 36:26 - 36:32
    the maximum merge delay is the time the
    log operator promises to include it in the
  • 36:32 - 36:41
    big, big Merkle hash tree. The good thing
    about the Merkle hash tree is despite
  • 36:41 - 36:46
    being very space efficient, calculation
    efficient, not that much data overhead,
  • 36:46 - 36:51
    and so forth, it's not possible to
    backdate elements. This was interesting
  • 36:51 - 36:55
    for one of the certification authorities
    which issued SHA1 signed certificates,
  • 36:55 - 37:00
    even though the browsers and everyone
    agreed that this should not happen
  • 37:00 - 37:05
    anymore. So it's also not possible remove
    elements that have been once in there. So
  • 37:05 - 37:10
    if Symantec decided to remove the
    google.com certificate, which was a "test"
  • 37:10 - 37:14
    certificate, this would be noticeable as
    well, because if you remove one of the
  • 37:14 - 37:21
    leaves, the hash values up to the root,
    they all change. And it's also not
  • 37:21 - 37:27
    possible to add elements. if you would
    like to add an element unnoticably, you
  • 37:27 - 37:34
    cannot do this, because the hash values of
    all the upper nodes would change. So how
  • 37:34 - 37:40
    do the logs operate? What they usually do
    is once every hour, they receive the
  • 37:40 - 37:48
    certificates, and once every hour they
    include them into their Merkle hash tree.
  • 37:48 - 37:52
    Probably already too much detail. They
    build a separate tree, and then include it
  • 37:52 - 38:01
    and recalculate the root hash value, which
    is then signed and shipped. And the nice
  • 38:01 - 38:08
    thing about the Merkle tree is that you
    have multiple ways of proving things. One
  • 38:08 - 38:18
    of the things that can be proved whether
    or not this log operator is honest. if a
  • 38:18 - 38:22
    log operator removes one of the
    certificates, this becomes visible by
  • 38:22 - 38:32
    changing all the relevant nodes. Also,
    it's very efficient. Also a figure from
  • 38:32 - 38:39
    the project website. On the left side, you
    have a Merkle tree with some added
  • 38:39 - 38:47
    certificates, appended certificates. And
    if a monitor or an auditor decides to
  • 38:47 - 38:54
    challenge the log operator, at a later
    point in time, whether or not these
  • 38:54 - 39:01
    certificates D6 and D7 have been correctly
    added, all the log operator has to send
  • 39:01 - 39:07
    are those highlighted nodes. This is the
    root, this is the thing that is signed,
  • 39:07 - 39:13
    for example, every hour. This is public.
    The certificates, they are public because
  • 39:13 - 39:21
    like, they're certificates. If now someone
    wants to verify that not only these have
  • 39:21 - 39:26
    been included, this is very easy, because
    you just have to calculate all the way up,
  • 39:26 - 39:30
    but also verify that all the other
    certificates are still there, so none of
  • 39:30 - 39:37
    the old certificates have been removed,
    there only needs to be three hash values
  • 39:37 - 39:42
    transmitted. And then the challenger can
    re-calculate everything. So as soon as the
  • 39:42 - 39:47
    challenger knows those hash values they
    can concatenate everything back together
  • 39:47 - 39:57
    and in the end, it should have the same
    hash value as the root. Another proof that
  • 39:57 - 40:03
    is possible is whether a specific
    certificate is still in the log. So it's
  • 40:03 - 40:07
    not only possible to challenge the
    consistency of the entire log regarding
  • 40:07 - 40:14
    old data, but it's also to verify that a
    specific certificate is still in the logs,
  • 40:14 - 40:21
    or made it into the logs. Remember, the
    SCT, the thing that finished immediately,
  • 40:21 - 40:27
    is just a promise to include it in the
    logs, and at a later point in time,
  • 40:27 - 40:36
    anyone, any auditor can challenge the log
    operator if the certificate is really in
  • 40:36 - 40:46
    the log. So again, if I want to verify
    that a specific certificate is in the log
  • 40:46 - 40:51
    I have the certificate that I would like
    to challenge, then I just need, in this
  • 40:51 - 40:57
    example, those three nodes, and everything
    else, the j node can be calculated because
  • 40:57 - 41:02
    I have the certificate. Then I have the
    hash of the certificate. I need this hash,
  • 41:02 - 41:12
    then I can calculate this value, and so
    forth, until I am at the root. So much for
  • 41:12 - 41:17
    under the hood. Merkle hash trees are
    gone. One of the problems of those logs
  • 41:17 - 41:23
    are they are every growing. You might have
    noticed, there is not a single word about
  • 41:23 - 41:32
    deleting certificates, for valid reasons,
    they are ever growing. Of course, nothing
  • 41:32 - 41:39
    is forever, so what log operators do is
    that they rotate the logs. So at a
  • 41:39 - 41:46
    specific point in time, the log gets
    frozen, the tree is then static, and there
  • 41:46 - 41:52
    is another log entity, which is brough
    online and used for, including the newer
  • 41:52 - 41:58
    certificates. Quite recently, aviator from
    Google got frozen.
  • 41:58 - 42:01
    It contains 46 million certificates.
  • 42:01 - 42:09
    Small drawback of freezing a
    log: as long as one certificate in this
  • 42:09 - 42:16
    log, in this three is still valid, this
    log needs to be reachable. As soon as all
  • 42:16 - 42:23
    the certificates have been expired, it can
    be dumped. But until that it has to be
  • 42:23 - 42:26
    available for the proofs.
  • 42:28 - 42:35
    One of the issues is that right now
    there are just a few log operators.
  • 42:35 - 42:39
    In the future, there should
    be many more. Not hundred-thousands of
  • 42:39 - 42:47
    them, but maybe hundreds of them. And they
    need to exchange information. Some form of
  • 42:47 - 42:53
    log chatter should appear. The log
    operators chatter with the clients to
  • 42:53 - 43:01
    verify that they all see the same state of
    the Merkle trees. And this has been
  • 43:01 - 43:09
    published in a paper last year. Right now,
    the idea is not yet at a level where they
  • 43:09 - 43:14
    need to chatter, which we will soon see.
    This happens when you create memes on the
  • 43:14 - 43:20
    train. Usually, they are very bad memes.
    This is apparently Gossip Girl, I've never
  • 43:20 - 43:25
    seen it, but if you google gossip and
    meme, ta-da!
  • 43:25 - 43:27
    laughter
  • 43:29 - 43:33
    Who now runs the logs? Who are the
    entities who are actively running logs. Of
  • 43:33 - 43:38
    course, Google is running the majority of
    them. They proposed the entire thing, they
  • 43:38 - 43:44
    wrote the code to run these things, and
    they run the large, open-for-all
  • 43:44 - 43:50
    certificate logs. Three of them are
    currently open-for-all. Another one is for
  • 43:50 - 43:55
    Let's Encrypt certificates, and another
    one is for non Let's Encrypt certificates.
  • 43:55 - 44:00
    Of course, Let's Encrypt issues a lot of
    certificates., thankfully. So they
  • 44:00 - 44:05
    separated that, apparently. If you read
    the mailing list, they promise that these
  • 44:05 - 44:12
    free open-for-all logs are separated
    geographically and administratively. The
  • 44:12 - 44:21
    are run by different entities, but they
    all have the same boss, and it would be
  • 44:21 - 44:30
    better if there were more open logs.
    Symantec has one, Wosign, CNNIC. Everytime
  • 44:30 - 44:34
    Google detects that a fraudulent
    certificate for google.com has been
  • 44:34 - 44:44
    issued, those certification authorities
    are mandated to run CT. Which is a good
  • 44:44 - 44:50
    thing, I mean, public and everything.
    Google has tens of millions of
  • 44:50 - 44:54
    certificates. They really have an
    open-for-all log, so everyone can push
  • 44:54 - 45:01
    certificates in there. DigiCert, Symantec
    is kind of big, but all the other nodes
  • 45:01 - 45:06
    which are listed on the website, they have
    a hundred-thousand-ish certificates, which
  • 45:06 - 45:14
    is not that much compared to 50 million or
    60 millions. Right now, Google already
  • 45:14 - 45:22
    mandates certification transparency for
    extended valiity certificates, so if you
  • 45:22 - 45:28
    not only see the green text up in the left
    corner of your browser, but also some
  • 45:28 - 45:36
    fancy name and big, big green whatever,
    this is an EV cert. And Google mandates
  • 45:36 - 45:44
    for EV certs to have two SCTs. Firefox is
    in the process of including it, I think.
  • 45:44 - 45:53
    Also, apparently, certificate transparency
    works. Because, when Symantec issued this
  • 45:53 - 46:00
    certificate for google.com they released a
    report stating that they found 23 "test"
  • 46:00 - 46:07
    certificates. Symantec said that it issued
    23 test certificates. But the logs are
  • 46:07 - 46:13
    public, anybody can query them. And within
    seconds, you can see that Symantec issued
  • 46:13 - 46:21
    another 164 certificates for other
    domains, and also 2,500 certificates for
  • 46:21 - 46:29
    non-exisisting domains. Just regarding
    this one issue. I need to hurry, time is
  • 46:29 - 46:35
    running out. Some of the downsides of
    certificate transparency. Of course:
  • 46:35 - 46:41
    privacy. People can learn your internal
    hosts, so if you have NAS for example, and
  • 46:41 - 46:46
    this NAS is only reachable within your
    LAN, and you want to get rid of the
  • 46:46 - 46:51
    browser warning whenever you access the
    interface of your NAS, you can get a Let's
  • 46:51 - 46:57
    Encrypt certificate but since not only the
    certificate is published, but also it's
  • 46:57 - 47:04
    logged, people can see in the public log
    file that there is, for your domain, a
  • 47:04 - 47:10
    NAS. Also, log entries must contain the
    entire chain up to a trusted root
  • 47:10 - 47:15
    certificate, which excludes everything
    which is self-signed, and everything which
  • 47:15 - 47:24
    is DANE. DANE is for verifying TLS
    certificates using DNSsec. And since these
  • 47:24 - 47:30
    two have no trusted root, they are currently
    not working for certificate transparency.
  • 47:30 - 47:36
    Now, of course you want to see the data.
    You're gonna play around with this.
  • 47:36 - 47:43
    Basically, what you can query, everything
    is JSON. So, if you know JSON, you can
  • 47:43 - 47:53
    work with certificate transparency. The
    basic URL is like this. The URL is any log
  • 47:53 - 48:01
    server, responds with the current root and
    it's signature, using this URL. Most
  • 48:01 - 48:05
    interestingly, it gives you also the
    number of certificates and the time stamp.
  • 48:05 - 48:12
    It looks then like this. JSON, so you
    have, this is the aviator log from Google,
  • 48:12 - 48:19
    which is now frozen. Has 46 something
    million certificates, the hash value of
  • 48:19 - 48:28
    the Merkle tree, and the signature. Also,
    you can challenge the certification logs
  • 48:28 - 48:35
    with consistency proofs, where you have
    two states of their tree, and the log has
  • 48:35 - 48:41
    to prove that it did not modify anything
    in between them. And of course, you can
  • 48:41 - 48:50
    verify that specific certificate is in the
    tree with the second URL. And you can just
  • 48:50 - 48:55
    push certificates there with a POST
    request. So you push it, they send back
  • 48:55 - 49:01
    the SCT, if you're the log operator, then
    you would include this. Any website which
  • 49:01 - 49:11
    right now is not using SCT all it takes is
    a POST request. Nothing more. Some screens
  • 49:11 - 49:19
    from the internals. This is for google.com
    in the net internals view. What you can
  • 49:19 - 49:28
    see is that signed certificate timestamp,
    the SCT, is received. It is valid. And
  • 49:28 - 49:33
    compliance is checked. So this was for
    google.com. And everything worked out.
  • 49:33 - 49:40
    Last but no least, just to mention it,
    Comodo operates a large search engine,
  • 49:40 - 49:50
    crt.sh. There you can query public logs.
    Also, Facebook recently added a monitor
  • 49:50 - 49:58
    for certificates. So if you own a domain
    name, and you use an entity which - no if
  • 49:58 - 50:05
    you own a domain, you can get updates if
    the certificate changes. The also monitor
  • 50:05 - 50:11
    the public logs and as soon as, for
    example, facebook.com uses a new
  • 50:11 - 50:20
    certificate that is logged in CT, you can
    get a notification for that. This is what
  • 50:20 - 50:24
    it looks like. Remember, Facebook can also
    send PGP-encrypted mails, then nothing
  • 50:24 - 50:32
    leaks to anyone. This screenshot was
    borrowed from Scott Helme. So, what's
  • 50:32 - 50:42
    next? Just a few - One month ago, Google
    announced that it will mandate certificate
  • 50:42 - 50:50
    transparency from October 2017 on. So if
    you run a website which is secured by TLS
  • 50:50 - 50:54
    you might want to check before that date
    whether or not your certification
  • 50:54 - 50:59
    authority is using certificate
    transparency. I would expect to have more
  • 50:59 - 51:07
    logs and more certificates included in the
    logs. In the far future, basically, the
  • 51:07 - 51:13
    idea of transparency and this Merkle tree
    is open for anything. You could put key
  • 51:13 - 51:18
    management software releases, anything in
    there. The team at Google, they also
  • 51:18 - 51:25
    builded a prototype for that, called
    Trillian, and described in the paper
  • 51:25 - 51:27
    "Verifiable Data Structures".
  • 51:27 - 51:29
    Before we
    come to the end and questions,
  • 51:31 - 51:31
    laughter
  • 51:32 - 51:33
    applause
  • 51:38 - 51:42
    There is a distinction. Of course, you
    could solve this problem with blockchain
  • 51:42 - 51:50
    as well. But a Merkle hash tree is much
    more efficient, much more elegant. When I
  • 51:50 - 51:54
    talked to a colleague on the train here,
    he said, of course, you can just push the
  • 51:54 - 51:58
    log into the blockchain.
    Yeah, not the same thing.
  • 51:58 - 52:00
    Thank you!
  • 52:00 - 52:01
    applause
  • 52:11 - 52:14
    Herald: Thank you Martin for a very
    interesting talk! We have a few more
  • 52:14 - 52:18
    minutes left for Q&A, so if you have a
    question, please line up next to the
  • 52:18 - 52:24
    microphones, and ask your question.
    Remember: a question has a question mark
  • 52:24 - 52:30
    at the end. Also, if you're exiting,
    please do so silently and from the front
  • 52:30 - 52:35
    door, thank you. I think we have a
    question over there:
  • 52:43 - 52:56
    Q: Can you recommend some libs or software
    where I can accomplish the TLS handshake
  • 52:56 - 53:02
    from the client side, so I can get the
    SCT, via TLS extension, via OCSP
  • 53:02 - 53:07
    extension, via the inherited
    pre-certificate SCT.
  • 53:07 - 53:15
    M: Not by heart. I mean, if it's part of
    TLS certificate anything will go, OpenSSL,
  • 53:15 - 53:22
    whatever, it's just a field. Same as for
    OCSP, so anything that does OCSP will
  • 53:22 - 53:25
    include it, it's just that clients that do
    not know the extension will just not -
  • 53:25 - 53:32
    they will ignore it. But anything that
    does OCSP or SSL handshake will work.
  • 53:35 - 53:37
    H: Thank you. Question from this microphone.
  • 53:37 - 53:42
    Q: Hello, thank you very much for the nice
    talk. Do you know how much space is needed
  • 53:42 - 53:45
    to store all the logs currently?
  • 53:45 - 53:54
    M: I had the same question, but
    unfortunately not. What they store is the
  • 53:54 - 54:02
    tree, and they store the entire chain,
    excluding the root certificates. So,
  • 54:02 - 54:10
    probably two, three, four certificates per
    entry, which is like - I think you can buy
  • 54:10 - 54:18
    at the regular electronic markets a hard drive
    which is able to fit a lot of those entries.
  • 54:20 - 54:22
    H: Next question from that mic.
  • 54:22 - 54:28
    Q: Yeah, thank you for the talk. Why do
    you need two SCTs for extended validation?
  • 54:28 - 54:36
    M: Because a single entity might cheat. So
    it's like - even though you can detect it,
  • 54:36 - 54:41
    it's still a timeframe left. And if you
    have two SCTs, which are operated
  • 54:41 - 54:46
    independently, the idea is it's not that
    likely that the two will collaborate
  • 54:46 - 54:48
    to make a certificate disappear.
  • 54:48 - 54:50
    Q: Thanks!
  • 54:50 - 54:51
    H: That microphone, yes.
  • 54:51 - 54:55
    Q: I'm actually a bit surprised, because
    Google has been pushing for making the
  • 54:55 - 55:00
    server HELLO as small as possible, and of
    course, this is increasing the server
  • 55:00 - 55:07
    HELLO with, in this case, an SCT, and of
    course, they are also doing OCSP stapling,
  • 55:07 - 55:11
    so that makes it even bigger. And this is
    like a SHA256, so we're talking 256 bits
  • 55:11 - 55:16
    there, plus another one you said that, you
    know, one is not enough. Actually I've
  • 55:16 - 55:19
    never seen that has more than one SCT.
    Have you?
  • 55:23 - 55:24
    M: No.
  • 55:24 - 55:24
    laughter
  • 55:24 - 55:25
    Not yet.
  • 55:25 - 55:27
    Q: I've looked around, but nothing.
  • 55:27 - 55:28
    M: Yeah.
  • 55:28 - 55:32
    Q: It's actually increasing the size. And
    I'm just wondering, where is this going.
  • 55:32 - 55:39
    Are we just gonna eat the costs of having
    all these SCTs and OCSP stapling? Are we
  • 55:39 - 55:40
    prepared to eat that cost?
  • 55:40 - 55:47
    M: I think the cost is small compared to
    the gain you get by HTTP2. So if you pipe
  • 55:47 - 55:52
    anything to one singular connection. I
    think it's not bad of a cost anymore. But
  • 55:52 - 55:57
    of course, this is a policy thing. To
    require a certain amount of SCTs, to
  • 55:57 - 56:02
    prevent fraudulent CAs.
  • 56:02 - 56:08
    Q: Is the idea that this will replace
    something like the SSL observatory, where
  • 56:08 - 56:14
    browsers send in certs they see, and then
    - you nodded, so I assume yes. And then
  • 56:14 - 56:19
    also, how does this work for people who
    can't have their certs be public?
  • 56:19 - 56:21
    For people who are like issuing
    things for internal networks?
  • 56:21 - 56:27
    M: If you can't have the certificate
    public, probably the better way right now
  • 56:27 - 56:34
    is to have a certification authority which
    is not using CT. In the future, it makes
  • 56:34 - 56:40
    it much more expensive to operate your own
    CA, incorporate it in the trust stores.
  • 56:40 - 56:44
    But of course, this is costly. You have to
    sign the certificate and everything.
  • 56:44 - 56:52
    Q: But if like in October 2017, when
    Chrome rejects all certs that don't have
  • 56:52 - 56:54
    signed timestamps like what do I do?
  • 56:57 - 56:58
    M: Use Edge.
  • 56:58 - 57:00
    laughter
  • 57:02 - 57:07
    I'm sure you can disable it somehow,
    but it's blerg.
  • 57:08 - 57:16
    Q: What about if someone tries SCT with
    DHT or other system.
  • 57:16 - 57:18
    Not blockchain, of course!
  • 57:18 - 57:21
    It's possible to do that without
    central authorities?
  • 57:21 - 57:24
    M: Sorry, say again?
  • 57:24 - 57:32
    Q: My English is very bad, I'm sorry. I
    said, it is possible to do that without
  • 57:32 - 57:37
    some central authority, like Google
    or over SCT, but
  • 57:37 - 57:41
    with a distributed hash table,
    like DHT technologies,
  • 57:41 - 57:43
    M: Yes, yes, of course.
  • 57:43 - 57:47
    Q: And are there existing implementations?
  • 57:47 - 57:53
    M: For the centralized thing, yes. Not for
    the distributed thing. But I think it's
  • 57:53 - 58:00
    just adding a layer of DHT on top of it.
    So I'm sure you can think of a browser
  • 58:00 - 58:06
    extension which uses the DHT to obtain
    SCT. But right now it's just purely
  • 58:06 - 58:08
    centralized. But the source is open.
  • 58:08 - 58:09
    Q: OK, thank you.
  • 58:11 - 58:15
    Q: I was just curious how it works if you
    have a certificate which gets revoked, in
  • 58:15 - 58:20
    context of the tree. Especially if the
    tree is frozen. So how does this work?
  • 58:20 - 58:25
    How do you revoke a certificate with a
    tree, and then how does it work if it's
  • 58:25 - 58:27
    frozen already.
  • 58:27 - 58:37
    M: Good question! The goal of CT is not
    - it's not about revocation. So whether
  • 58:37 - 58:44
    revocation path is taken regularly. So you
    ask OCSP. It's independent of the
  • 58:44 - 58:48
    revocation thing. It's just publicly
    saying that this certificate has been
  • 58:48 - 58:57
    issued. So removing a certificate from the
    tree, which has been removed - revoked, is
  • 58:57 - 59:01
    not part of the specification. This is not
    the use case. It's just logging the
  • 59:01 - 59:03
    certificates which have been issued.
  • 59:03 - 59:08
    Q: But if you audit all the logs, and you
    want to know if something is, like going
  • 59:08 - 59:11
    on that shouldn't be going on, wouldn't
    you want to know whether the certificate
  • 59:11 - 59:13
    has been revoked at some point?
  • 59:13 - 59:20
    M: Yes, but not in the logs. The logs are
    just to prove that the CA has issued this
  • 59:20 - 59:27
    certificate, and to prove that the log has
    correctly logged it. Revocation is
  • 59:27 - 59:33
    different. Usually, OCSP stapling with the
    CA, but that's a different channel. So
  • 59:33 - 59:35
    this is not for certificate transparency.
  • 59:35 - 59:37
    Q: Thank you!
  • 59:37 - 59:39
    H: That's all the time we have for Q&A.
  • 59:39 - 59:41
    Big round of applause again for
    Martin for a great talk!
  • 59:41 - 59:43
    applause
  • 59:43 - 59:46
    postroll music
  • 59:46 - 60:08
    subtitles created by c3subtitles.de
    in the year 2017. Join, and help us!
Title:
Everything you always wanted to know about Certificate Transparency (33c3)
Description:

more » « less
Video Language:
English
Duration:
01:00:08

English subtitles

Revisions