Aggregation-Based Certificate Transparency Gossip

Certificate Transparency (CT) requires that every CA-issued TLS certificate must be publicly logged. While a CT log need not be trusted in theory, it relies on the assumption that every client observes and cryptographically verifies the same log. As such, some form of gossip mechanism is needed in practice. Despite CT being adopted by several major browser vendors, no gossip mechanism is widely deployed. We suggest an aggregation-based gossip mechanism that passively observes cryptographic material that CT logs emit in plaintext, aggregating at packet processors (such as routers and switches) to periodically verify log consistency off-path. In other words, gossip is provided as-a-service by the network. Based on 20 days of RIPE Atlas measurements that represent clients from 3500 autonomous systems and 40% of the IPv4 space, our proposal can be deployed incrementally for a realistic threat model with significant protection against split-viewing CT logs. We also show that aggregation-based gossip can be implemented for a variety of packet processors using P4 and XDP, running at 10 Gbps line-speed.

[1]  Erik Derr,et al.  Reliable Third-Party Library Detection in Android and its Security Applications , 2016, CCS.

[2]  Angelos D. Keromytis,et al.  DoubleCheck: Multi-path verification against man-in-the-middle attacks , 2009, 2009 IEEE Symposium on Computers and Communications.

[3]  Erik Derr,et al.  Keep me Updated: An Empirical Study of Third-Party Library Updatability on Android , 2017, CCS.

[4]  David Moore,et al.  Beyond folklore: observations on fragmented traffic , 2002, TNET.

[5]  Tom Ritter,et al.  Gossiping in CT , 2018 .

[6]  Toke Høiland-Jørgensen,et al.  The eXpress data path: fast programmable packet processing in the operating system kernel , 2018, CoNEXT.

[7]  Daniel Zappala,et al.  TrustBase: An Architecture to Repair and Strengthen Certificate-based Authentication , 2016, USENIX Security Symposium.

[8]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[9]  Douglas Stebila,et al.  Secure Logging Schemes and Certificate Transparency , 2016, ESORICS.

[10]  Georg Carle,et al.  Software Distribution Transparency and Auditability , 2017, ArXiv.

[11]  Michael J. Freedman,et al.  CONIKS: Bringing Key Transparency to End Users , 2015, USENIX Security Symposium.

[12]  J. Alex Halderman,et al.  Analysis of the HTTPS certificate ecosystem , 2013, Internet Measurement Conference.

[13]  Robert T. Braden,et al.  Requirements for Internet Hosts - Communication Layers , 1989, RFC.

[14]  Rasmus Dahlberg,et al.  Aggregating Certificate Transparency Gossip Using Programmable Packet Processors , 2018 .

[15]  Georg Carle,et al.  In Log We Trust: Revealing Poor Security Practices with Certificate Transparency Logs and Internet Measurements , 2018, PAM.

[16]  Adrian Perrig,et al.  Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing , 2008, USENIX Annual Technical Conference.

[17]  Ben Laurie Certificate Transparency , 2014, ACM Queue.

[18]  Fan Yang,et al.  The QUIC Transport Protocol: Design and Internet-Scale Deployment , 2017, SIGCOMM.

[19]  Ian Goldberg,et al.  Sublinear Scaling for Multi-Client Private Information Retrieval , 2015, Financial Cryptography.

[20]  Melissa Chase,et al.  Transparency Overlays and Applications , 2016, IACR Cryptol. ePrint Arch..

[21]  Stephen E. Deering,et al.  Internet Protocol, Version 6 (IPv6) Specification , 1995, RFC.

[22]  Steven McCanne,et al.  The BSD Packet Filter: A New Architecture for User-level Packet Capture , 1993, USENIX Winter.

[23]  Nick McKeown,et al.  PISCES: A Programmable, Protocol-Independent Software Switch , 2016, SIGCOMM.

[24]  Adrian Perrig,et al.  Efficient gossip protocols for verifying the consistency of Certificate logs , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[25]  Olivier Bonaventure,et al.  Multipath QUIC: Design and Evaluation , 2017, CoNEXT.

[26]  Mark Handley,et al.  Is it still possible to extend TCP? , 2011, IMC '11.

[27]  Nick Sullivan,et al.  The Security Impact of HTTPS Interception , 2017, NDSS.

[28]  Kevin R. B. Butler,et al.  Securing SSL Certificate Verification through Dynamic Linking , 2014, CCS.

[29]  Srinivas Devadas,et al.  Catena: Efficient Non-equivocation via Bitcoin , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[30]  George Varghese,et al.  Forwarding metamorphosis: fast programmable match-action processing in hardware for SDN , 2013, SIGCOMM.

[31]  David Wolinsky,et al.  Keeping Authorities "Honest or Bust" with Decentralized Witness Cosigning , 2015, 2016 IEEE Symposium on Security and Privacy (SP).

[32]  Benjamin Hof STH Cross Logging , 2017 .