SLIDE 1
Root 1 Root 3 Root 2 Root certificates of trusted Certificate Authorities e.g. GlobalSign Root CA, Amazon Root CA, GoDaddy Root CA
Certicate Transparency Root Explorer Nikita Korzhitskii Niklas - - PowerPoint PPT Presentation
Certicate Transparency Root Explorer Nikita Korzhitskii Niklas - - PowerPoint PPT Presentation
Certicate Transparency Root Explorer Nikita Korzhitskii Niklas Carlsson Web Public Key Infrastructure (WebPKI) Root certificates of trusted Certificate Authorities e.g. GlobalSign Root CA, Amazon Root CA, GoDaddy Root CA Root 1 Root 2
SLIDE 2
SLIDE 3
Root 1 Root 3 Root 2 Intermediate 1 Intermediate 2 Intermediate 3 Intermediate 4 Intermediate 5 Intermediate 7 Intermediate 6 Root CAs issue Intermediate certificates to themselves or other organizations. Telia CA KTH CA McDonalds CA Foo AB CA Bar GmbH CA
Web Public Key Infras侅tructure (WebPKI)
SLIDE 4
Root 1 Root 3 Root 2 Intermediate 1 Intermediate 2 Intermediate 3 Intermediate 4 Intermediate 5 Intermediate 7 Intermediate 6 Leaf 1 Leaf 2 Leaf 3 Leaf 4 Leaf 5 Leaf 6 Leaf 7 Leaf 8 Leaf 9
google.com liu.se fb.me mozilla.org xkcd.com github.io kth.se mit.edu *.linkoping.se
Web Public Key Infras侅tructure (WebPKI)
SLIDE 5
Web Public Key Infras侅tructure (WebPKI)
Root 1 Root 3 Root 2 Intermediate 1 Intermediate 2 Intermediate 3 Intermediate 4 Intermediate 5 Intermediate 7 Intermediate 6 Leaf 1 Leaf 2 Leaf 3 Leaf 4 Leaf 5 Leaf 6 Leaf 7 Leaf 8 Leaf 9 Root store 1 Root store 3 Root store 2
google.com liu.se fb.me mozilla.org xkcd.com github.io kth.se mit.edu *.linkoping.se
Client w/ Root Store 1: google.com, liu.se, fb.me, mozilla.org Client w/ Root Store 2: google.com, liu.se, fb.me, mozilla.org, xkcd.com, github.io, kth.se, mit.edu Client w/ Root Store 3: github.io, kth.se, mit.edu, *.linkoping.se
SLIDE 6
Root 1 Root 3 Root 2 Intermediate 1 Intermediate 2 Intermediate 3 Intermediate 4 Intermediate 5 Intermediate 7 Intermediate 6 Leaf 1 Leaf 2 Leaf 3 Leaf 4 Leaf 5 Leaf 6 Leaf 7 Leaf 8 Leaf 9
Certicate Trans侅parency
- An internet standard, RFC 6962
- Append-only logging of issued certificates
SLIDE 7
Root 1 Root 3 Root 2 Intermediate 1 Intermediate 2 Intermediate 3 Intermediate 4 Intermediate 5 Intermediate 7 Intermediate 6 Leaf 1 Leaf 2 Leaf 3 Leaf 4 Leaf 5 Leaf 6 Leaf 7 Leaf 8 Leaf 9
Certicate Trans侅parency
- An internet standard, RFC 6962
- Append-only logging of issued certificates
Log 1 Log 2 Log 3
SLIDE 8
Certicate Trans侅parency (in practce)
Root 1 Root 3 Root 2 Intermediate 1 Intermediate 2 Intermediate 3 Intermediate 4 Intermediate 5 Intermediate 7 Intermediate 6 Leaf 1 Leaf 2 Leaf 3 Leaf 4 Leaf 5 Leaf 6 Leaf 7 Leaf 8 Leaf 9 Root store 1 Root store 3 Root store 2 Log 1 /w Root Store 1 Log 2 /w Root Store 2 Log 3 /w Root Store 3
SLIDE 9
Certicate Trans侅parency
- A CT log is侅 a s侅igned binary append-only
Merkle tree of certicate chains侅
- Any party can s侅ubmit certicates侅
- Logs侅 can be checked for cons侅is侅tency
- Initally developed and adopted by Google
- Recently adopted by Apple
- Mos侅t CAs侅 log their certicates侅 upon is侅s侅uance
- CT extends侅 beyond WebPKI to RPKI
SLIDE 10
Applicatons侅 of Certicate Trans侅parency
- Connecton veriicaton
- Detecton of mis侅is侅s侅ued certicates侅
- Detecton of actvee phis侅hinge other domains侅 (privacy is侅s侅ues侅)
- Repres侅entaton of the Internet s侅tructure
- Many more…
We are interes侅ted in end-to-end s侅ecurity applicatons侅 of CT
SLIDE 11
Certicate Trans侅parency Root Explorer
...is a tool for exploring certificate stores. One can visualize intersections, compare, parse, search and export certificate information. An SQLite database of logs and roots could be imported and exported. CT logs could be scanned online. Available root stores (Snapshot from 27th December, 2018): Mozilla, Microsoft, Apple and multiple Certificate Transparency Logs. Requirements: Chrome or Chromium Browser. By default, only logs by Google are available for live log scanning. The rest of the logs have not explicitly configured response headers related to the CORS policy.
GitHub: nikita-kun/certificate-transparency-root-explorer
SLIDE 12
Certicate Trans侅parency Root Explorer
GitHub: nikita-kun/certificate-transparency-root-explorer
SLIDE 13
Certicate Trans侅parency Root Explorer
GitHub: nikita-kun/certificate-transparency-root-explorer
SLIDE 14
The datas侅et
GitHub: nikita-kun/certificate-transparency-root-explorer
- Collected on December 27th, 2018
- 56 CT logs (54 were mentioned in Google’s list of known logs)
- 3 Vendor Root Stores
- 802 Root/Intermediate Certificate
SLIDE 15
In order to enable attribution of each logged certificate to its issuer, the log SHALL publish a list of acceptable root certificates (this list might usefully be the union of root certificates trusted by major browser vendors). RFC 6962
Certificates in root stores of CT logs and their relation to major vendor root stores
SLIDE 16
In order to enable attribution of each logged certificate to its issuer, the log SHALL publish a list of acceptable root certificates (this list might usefully be the union of root certificates trusted by major browser vendors). RFC 6962
Fraction of trusted vendor certificates not covered by CT logs
SLIDE 17
Intersections of Logs’ root stores
SLIDE 18
Conclus侅ion
Intersection of root stores by Mozilla, Microsoft and Apple (top); Argon2019, Nimbus2019 and Nessie/Yeti2019 logs (bottom)
- Certificate Transparency is rapidly developing
- As of January 2019, CT logs contained 3 billion entries
- CT is already in your Chrome browser and Apple OSes
- Many potential applications
However:
- Internet is not fully covered by CT
- Google and Apple rely on logs maintained by 4 operators
➔ Cloudflare, DigiCert, Google and Sectigo
SLIDE 19