- From: Tao Effect <contact@taoeffect.com>
- Date: Mon, 12 Jan 2015 11:46:23 -0800
- To: Marc Fawzi <marc.fawzi@gmail.com>
- Cc: "www-tag@w3.org" <www-tag@w3.org>
- Message-Id: <08D0A542-8E7B-442D-AC9D-A984717C02CE@taoeffect.com>
Dear Marc, > I thought CT was for auditing purposes and an investigative tool rather than an MITM prevention mechanism. That is the most it can be used for, but unfortunately that is not how Google's advertises it: From their home page [1]: Google's Certificate Transparency project fixes several structural flaws in the SSL certificate system ... If left unchecked, these flaws can facilitate a wide range of security attacks, such as website spoofing, server impersonation, and man-in-the-middle attacks. From their "What is CT?" page [2]: Specifically, Certificate Transparency has three main goals: Make it impossible (or at least very difficult) for a CA to issue a SSL certificate for a domain without the certificate being visible to the owner of that domain. ... Protect users (as much as possible) from being duped by certificates that were mistakenly or maliciously issued. From Ben Laurie's ACM article [3]: It becomes impossible to misissue a certificate without detection. These statements are misleading and/or not true [4]. > How does DNSChain compare to DANE? DANE is simply a way to include public key fingerprints in DNS records. DNS is not secure. DANE + DNSSEC is slightly better, but DNSSEC has the problems outlined in [5], similar to those of X.509. With DNSChain, public key fingerprints are stored in a blockchain, a distributed database that is much more secure than DNSSEC. These fingerprints are retrieved via a MITM-proof channel to a DNSChain server. As long as the DNSChain server is trustworthy, all is good. Any DNSChain server can be used, anyone can run one, and multiple servers can be queried to have greater certainty that the answers are authentic [6]. The use of "thin clients" or "light clients" can also be used in place of or in combination with DNSChain, but these do not exist yet in any serious capacity, and they have their own technical challenges and deployment issues. The upside of DNSChain is that it can be easily supported on all existing devices. More info on GitHub: https://github.com/okTurtles/dnschain/blob/master/docs/What-is-it.md Cheers, Greg Slepak okTurtles Foundation [1] http://www.certificate-transparency.org/ [2] http://www.certificate-transparency.org/what-is-ct [3] https://queue.acm.org/detail.cfm?id=2668154 [4] https://blog.okturtles.com/2014/09/the-trouble-with-certificate-transparency/ [5] https://github.com/okTurtles/dnschain/blob/master/docs/Comparison.md#dnssec [6] http://simondlr.com/post/94988956673/an-intro-to-dnschain-low-trust-access-to -- Please do not email me anything that you are not comfortable also sharing with the NSA. On Jan 12, 2015, at 5:26 AM, Marc Fawzi <marc.fawzi@gmail.com> wrote: > Hi Greg > > I thought CT was for auditing purposes and an investigative tool rather than an MITM prevention mechanism. > > How does DNSChain compare to DANE? > > http://www.internetsociety.org/articles/dane-taking-tls-authentication-next-level-using-dnssec > > > > Sent from my iPhone
Received on Monday, 12 January 2015 19:46:49 UTC