Security Experts:

Certificate Transparency: Small Town Gossip Can Save Web Users' Privacy

Certificate Transparency Gives Hope That Trust in PKI and SSL Will be Redeemed...

SSL is the cryptographic protocol that enables secure communication over the Internet. One of SSL's key features is protecting users from attackers that impersonate popular web services. Establishing that trust between the user and the web server is essential for enabling confidential communication which is the cornerstone of many Web applications, such as e-commerce sites, web banking services and webmail. In order to build that trust, SSL cryptographically verifies the website’s (digital) certificate. The procedures and resources required to manage the certificate’s life cycle (i.e. create, distribute, use, store and revoke) is called the Public-Key Infrastructure (PKI).

While SSL’s cryptography has been tested over the years and proven to be rather solid, the protocol stands on the very shaky foundations of the PKI. PKI related problems were at the heart of many recent SSL security incidents. As a result, many different theoretic solutions for fixing PKI security issues were suggested, but no actual progress has been made. However, a new proposal called "Certificate Transparency" has gained momentum and gives hope that trust in PKI and SSL will be redeemed.

Understanding the Current PKI Issues

To verify the authenticity of a web server’s identity, a digital certificate is used. A web browser uses SSL to cryptographically verify the site’s (digital) certificate and makes sure it was properly issued by a known Certificate Authority (CA). PKI provides a scalable "chain of trust" structure, enabling the browser to know only a limited set of CAs (often referred to as “Root CAs”) in order to verify the authenticity of the of the server. The anchor of the chain of trust is the Root Certificate Authority's (CA) digital certificate. The root CA can delegate the ability to trustfully sign certificates to the next links of the chain (intermediate CAs) by signing their certificates.

SSL Chain of Trust Depicted with Star Trek NG
Figure 1 - SSL Chain of Trust Depicted with Star Trek NG (Image Credit)

The main problem that PKI suffers from is the fact that any CA can create a certificate to ANY site unbeknownst to the original site! As a result, the strength of SSL becomes the strength of the weakest link in the PKI chain of trust, which is the most insecure CA. This fact has been abused by attackers numerous times to create fraudulent certificates in order to masquerade as legitimate sites. The most well-known incident is perhaps the DigiNotar attack. In the attack, attributed to the Iranian government, fraudulent certificates to top sites (Google, Facebook and others ) were issued and later used to eavesdrop to Iranian originated web traffic.

Certificate Transparency: Gossip Can Save PKI

This PKI weakness has not escaped the eyes of researchers and many solutions have been proposed (PDF), but none have gained much traction in the field. However, lately it seems that the Google-backed "Certificate Transparency" has gained much momentum and may have a real chance to amend the battered PKI.

The intuition behind Certificate Transparency is simple: Masquerading can only happen in an "urban" environment, where the city is big enough for the attacker to fool enough people without getting caught. In a small town environment, where everyone knows and gossips about everyone, the lie gets exposed quickly, thus making lying economically inefficient for the liar. As Lincoln's famous quote suggests: "You can fool all the people some of the time, and some of the people all the time, but you cannot fool all the people all the time."

Certificate Authority Adds the Logging of Certificates

Certificate Authority Adds the Logging of Certificates (Image Credit)

Technically, Certificate Transparency introduces central logging functionality into the SSL and PKI environment. Each CA can report ("gossip") a newly issued certificate to the certificate log server(s) and receive a signed certificate timestamp (SCT), which is a proof that the certificate was submitted to the logger.

The logger provides the desired transparency and transforms the "urban" environment into a "small town" one, in which every new certificate is gossiped about. CAs can now monitor the logging server to make sure no one had fraudulently issued certificates on their behalf, web site owners can ensure nobody created additional rogue certificates to their sites, and browsers can trust only "well known", already "gossiped" certificates.

While this solution does not technically prevent attacks like the DigiNotar attack, as CA attackers can still report the fraudulently issued certificate to the logging server, but it makes them very non worthwhile as the attack is discovered very quikcly by the different parties that monitor the central log(s).

Why Will Certificate Transparency Succeed?

The main reason is that Certificate Transparency architecture is appropriate to serve as an update to one of the Web's most sensitive features. It is not an "all or nothing" solution. The changes to the existing protocol are minor and can be deployed gradually. Old versions of SSL will continue to work, while new versions that support Certificate Transparency will be able to enjoy its benefits.

Secondly, Certificate Transparency enjoys the backing of Google. Google had utilized its engineering power to deploy the needed certificate log servers and also updated its Chrome browser (version 33) to support it.

Certificate Transparency

Certificate Transparency in the Field (chrome 33)

When two of the triangles' corners (log server and browser support) are already implemented by Google, it makes it very easy for the last corner of the triangle, the CAs, to join in. And indeed some major CAs have announced their support for Certificate Transparency.

It seems that once more sunlight is proven to be the best disinfectant, this time by using transparency via gossiping to heal PKI infections.

Insight: Is Your Enterprise Managing Certificates? Three Reasons It Should Be.

Insight: Aberdeen Research: Encryption, Without Tears

Industry ReportCost of Failed Trust Report

view counter
Tal Be’ery is a Senior Security Research Manager in Microsoft, formerly the VP of Research at Aorato (acquired by Microsoft), developing Microsoft Advanced Threat Analytics (ATA). Previously, Tal managed various security project teams in several companies. Tal holds a B.Sc and an M.Sc degree in Electrical Engineering and Computer Science and is a Certified Information Systems Security Professional (CISSP). He is the lead author of the TIME attack against HTTPS, has been a speaker at security industry events including RSA, Blackhat and AusCERT and was included by Facebook in their whitehat security researchers list. (Twitter: @talbeerysec)