The argument is that CT will reveal all malicious acitivities, but I believe real attackers will not really care in most of the cases..
-
-
Replying to @marver @CopperheadOS
disagree. all scenarios where you assume a bad CA collaborating with the attacker become much less likely, as the CA risks going out of business. for the same reason there's a huge incentive for CAs to fix their shit.
1 reply 0 retweets 1 like -
How is the fault of the CA if an attacker spoofed a DNS record or other authentication method when they checked?
2 replies 0 retweets 0 likes -
Since this problem exists, a malicious CA can fraudulently issue a certificate with plausible deniability about their culpability. How can you distinguish between an attack on the authentication method vs. the CA disguising it as one? Original topic was MITM of Let's Encrypt.
1 reply 0 retweets 1 like -
So, sure, you'll be able to see via CT that someone did a MITM of Let's Encrypt authentication and fraudulently issued a certificate for your site. Once you find that, what happen? Does Let's Encrypt get removed as a CA because DV is fundamentally insecure (not their fault)?
1 reply 0 retweets 0 likes -
It could also be done via an attack on your DNS registrar. If someone can break into your Namecheap account or compromise them for example, they can get a DV certificate issued and in practice also OV/EV if they put in a bit more effort since they don't really do much better.
1 reply 0 retweets 0 likes -
Replying to @CopperheadOS @marver
sure, and if someone hacks your webhost they can replace your website. but there's nothing TLS can do about this. it protects your transport, not your infrastructure.
1 reply 0 retweets 0 likes -
The DNS registrar is not your infrastructure and neither is every single CA that's able to issue a certificate for your site and then suggest that there was a MITM of the DV authentication when it's discovered. There's no way to demonstrate that they did it maliciously.
1 reply 0 retweets 0 likes -
CT fundamentally cannot provide the kind of accountability that you're claiming it provides. Let's say that Comodo fraudulently issues a certificate for http://copperhead.co and we see it in the CT logs. What happens then? They can say they did DV authentication and it passed.
1 reply 0 retweets 0 likes -
Maybe they genuinely did do DV authentication and an attacker faked it via MITM. How exactly are they going to be held accountable? There's no way of even providing strong evidence that they did anything wrong if they fake it because the authentication isn't at all secure.
1 reply 0 retweets 0 likes
This almost happened with WoSign. Alibaba said they didn't authorize a certificate. WoSign presented HTTP logs, which could have been trivially forged, as proof that they properly validated it. For some reason, Alibaba backed down so the issue was dropped.
-
-
Replying to @__agwa @CopperheadOS and
It's bound to happen for real eventually and it's one of my greatest WebPKI fears. I'd love to see verifiability/transparency added to CAA to prevent this.
0 replies 1 retweet 2 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.