Re: Notes on Certificate Transparency

Hi Greg

I thought CT was for auditing purposes and an investigative tool rather than an MITM prevention mechanism.

How does DNSChain compare to DANE?

http://www.internetsociety.org/articles/dane-taking-tls-authentication-next-level-using-dnssec



Sent from my iPhone

> On Jan 9, 2015, at 9:05 PM, Tao Effect <contact@taoeffect.com> wrote:
> 
> Dear list,
> 
> Marcos Caceres pointed me to the "Securing the Web" draft document [1] and recommended that I forward some of my observations to the list.
> 
> I skimmed over the document and noticed it mentions Certificate Transparency. We are very concerned about that effort, as explained here (and elsewhere):
> 
> https://blog.okturtles.com/2014/09/the-trouble-with-certificate-transparency/
> 
> We don't believe it solves the X.509 MITM problem, and we're especially concerned that it will create an even more expensive false sense of security in the web. The primary issues are:
> 
> - It's not useful for 99% of websites and sysadmins who cannot be bothered to check all Monitors for mis-issued certificates.
> - It doesn't prevent MITM attacks.
> - People are still expected to pay for certs that do not provide good security. A couple of CAs do offer free certs, but those currently work within the confines of X.509, which, with or without CT, does not prevent MITM attacks. [2]
> - Even if it works exactly as planned, it seems unlikely to result in any meaningful improvement HTTPS security. There's nothing preventing the attacks from happening again.
> 
> 
> Just wanted to share our observations and concerns about CT with the list in case they are at all useful to your work. We are working on an alternative called DNSChain that has stronger security properties and makes secure self-signed certs possible.
> 
> Kind regards,
> Greg Slepak
> okTurtles Foundation
> 
> [1] https://w3ctag.github.io/web-https/
> [2] https://github.com/okTurtles/dnschain/blob/master/docs/Comparison.md
> 
> --
> Please do not email me anything that you are not comfortable also sharing with the NSA.
> 

Received on Monday, 12 January 2015 13:27:06 UTC