August 2015 Newsletter

(posted to certificate-transparency@googlegroups.com, trans@ietf.org and ct-policy@chromium.org)

We wanted to put an update out to summarize what the Certificate Transparency team at Google is working on as well as other efforts in the space that we are aware of.  There are lots of other great contributions taking place from other organizations and individuals so we apologize for anything that we’ve missed and we’d also love to hear more about them.


Standards work

Achievements:

  • Work continues on RFC6962-bis. Version 8 of the draft was published in July [1].

  • IETF 93 was held in Prague in July, and the following CT presentations took place:

    • “trans” issues update [2] - Eran Messeri

    • CT Attack Model [3] - Steve Kent

    • draft-linus-trans-gossip-ct [4] - Daniel Kahn Gillmor and Linus Nordberg

    • CT for Binary Code [5] - Dacheng Zhang and Daniel Kahn Gillmor

    • Selective Logs [6] - Rich Salz

  • New version of Gossip Internet Draft published in July [7].


Lookahead:

  • We’re very interested in exploring how we make it viable for a site-owner to be able to opt-in to requiring CT, ahead of any general browser-enforced deadlines.  We would welcome participation in helping define what this might look like in a manner that would work well for both browsers and site-owners.


[1] https://tools.ietf.org/html/draft-ietf-trans-rfc6962-bis-08

[2] https://www.ietf.org/proceedings/93/slides/slides-93-trans-3.pdf

[3] https://www.ietf.org/proceedings/93/slides/slides-93-trans-0.pdf

[4] https://www.ietf.org/proceedings/93/slides/slides-93-trans-2.pdf

[5] https://www.ietf.org/proceedings/93/slides/slides-93-trans-1.pdf

[6] https://www.ietf.org/proceedings/93/slides/slides-93-trans-4.pdf

[7] https://tools.ietf.org/html/draft-linus-trans-gossip-ct-02


Log servers

Achievements:

  • Symantec’s log successfully completed compliance testing in August and the process has begun to move this into Chrome’s trusted logs store [1].

  • Testing is underway for one other log server implementation, Venafi.

  • Design doc published for Google’s open source log server [2].

  • README updated with Quickstart instructions for building Google’s open source log server [3].


Lookahead:

  • Google is planning to update the open-source implementation to track the changes made in RFC6962-bis.


[1] http://www.certificate-transparency.org/known-logs

[2] https://github.com/google/certificate-transparency/blob/master/docs/DesignDoc.md

[3] https://github.com/google/certificate-transparency/blob/master/README.md


Client implementations

Achievements:

  • Apple’s new App Transport Security for iOS 9 and Mac OS X 10.11 includes support for Certificate Transparency [1], although we’re not sure exactly what it does yet.  Does anyone reading this have details to share?

  • Chrome 41, released in March of this year, began enforcing the CT requirement for all EV certificates issued after 1 Jan 2015.


Lookahead:

  • Google is working with the Mozilla Foundation and a contractor to build a patch to contribute to Firefox to provide Certificate Transparency support in Firefox.

  • Google is planning to launch a set of DNS servers to be able to handle inclusion proof checking over DNS. The primary motivation for doing so is so that a client (such as Chrome, or other browsers that wish to use this) can perform inclusion proof checks without directly revealing the browsing history of the user to any new parties, including Google. The intent is that the client will receive an inclusion proof by performing a DNS lookup for a TXT record for a specially crafted hostname, via the user’s existing DNS resolver (typically an ISP) which in turn will recurse to eventually service the request from a Google DNS server.  In this manner the client is only revealing the leaf hashes they see (and thus the sites they visit) to their existing DNS resolver, which already (in practically all cases) has just serviced a DNS request for that same site and thus already knows their browsing history.

  • Google is building out log mirrors for all logs included by Chrome, and the intent is that read-only requests from Chrome (for STHes, or inclusion-proofs (via the DNS mechanism above)) will be serviced by a log mirror, rather than the underlying logs.

  • Google is building out Chrome support to include STH fetching, and to use the DNS inclusion proof method outlined above.  We intend to provide more information (including protocol details) as we make progress.

  • Google is working with the OpenSSL community on adding experimental support into OpenSSL client for retrieving and validating all SCTs associated with a TLS connection [2].


[1] https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/

[2] https://github.com/aeijdenberg/openssl/blob/add_get_peer_scts/crypto/ct/README.md



Server implementations

Achievements:

  • haproxy [1], nginx [2] and Apache [3] support serving SCTs via TLS extensions (thanks to Janusz Dziemidowicz, Graham Edgecombe and Jeff Trawick respectively).

  • New section added to Certificate Transparency site to demonstrate how to use these [4].

  • (Apologies this is so specific to Google, but this was a big effort due to the scale of the organization/infrastructure) Google.com properties are now serving SCTs via the TLS Extension.


Lookahead:

  • Google is looking at how to add SCT support to QUIC protocol, which is used to communicate between Chrome and many Google properties.


[1] https://cbonte.github.io/haproxy-dconv/configuration-1.6.html#5.1-crt

[2] https://github.com/grahamedgecombe/nginx-ct

[3] https://httpd.apache.org/docs/trunk/mod/mod_ssl_ct.html

[4] http://www.certificate-transparency.org/resources-for-site-owners


Monitors

Achievements:

  • Both DigiCert [1] and Comodo [2] have implemented log monitors allowing interested parties to view certificates that are issued for a domain.

  • Matt Palmer released an open-source Ruby framework for building your own monitor [3].


Lookahead:

  • Google is also looking at adding a way to allow interested parties to search for and view certificates found in CT logs.

  • Comodo is planning to release their monitor as open-source.


[1] https://www.digicert.com/certificate-monitoring/

[2] https://crt.sh/

[3] https://github.com/tobermorytech/certificate-transparency-monitor
Comments