 I'm very excited to be here. I guess you are too. And we will get started with our first talker for the day. He is a security researcher at SBA Research, and he's also a member of CCC Vienna. The talk we'll be hearing today is everything you always wanted to know about certificate transparency. And with that, I will pass on the stage. Please give a warm welcome to Martin Schmidiker. Thank you very much for this kind words and this very nice introduction. As already said, I'm a member of CCC Vienna. I'm also on Twitter, so if you have a comment afterwards or want to ping me, if you find a typo in the slides or whatever, just ping me on Twitter. So what is this talk about? What are we going to talk about? Certificate transparency is kind of a new thing in the TLS ecosystem, so not many people are familiar that it is here. So I will present the overview, what is CTE and what it does, and also we'll peek under the hood and see what it actually does, how it works, and how you can play with it. So one of the things I have to say about myself, I'm a keen fan of internet memes. So even though these are hilarious pictures, personally I find hilarious pictures that I put online, keep in mind that HTTPS is a serious topic. So whether you do net banking, you're googling or whatever you do online, HTTPS is there to protect your privacy and to protect your security. And in some states, and this has been shown by history, this is not a case, so there are nationwide introspecting devices which break open the TLS encryption and look at the content and people will get a visit from secret police or anything and they will knock on their door and arrest them just like this week happened in Turkey where people got arrested for posting things on Facebook. So even though there are some funny pictures in there, keep in mind that this is just a means to an end for my presentation. I personally find HTTPS is a very important topic. I hope I convinced you too and CTE in particular is fascinating. So why is there something like certificate transparency? Like the name says it all, if you are a certification authority, you want to make public the certificates you sell or you issue. And with many good stories and with many good tools, it all started with a hack. Back in 2011, there was this Dutch certification authority called Diginotar and they got phoned. They get really, really badly phisted. They lost everything. They lost all their crown jewels. And as part of this hack, there were 500 something fraudulent certificates issued and not just any certificates, not just like let's encrypt where you can get a free certificate and then use it for your internal systems or for your website or whatever. No really, really high value domains and high value certificates like Google.com, Very Privacy Invasive. If you can read what people are Googling or what they are sending in their emails. WindowsUpdate.com, which is like the back door to some of the Windows world. Mozilla.com, the attacker could manipulate the Firefox download, sign it with the certificate and ship it over a securely seeming website, Tor project and so forth. So this was back in 2011 and this was not just a small incident, it just hasn't been a small CA but it was a regular CA with regular business. What's more on this hack is that these certificates have been used to intercept communication of clients, people browsing the web, reading their email and the company which investigated the breach afterwards found out that at least 300,000 IP addresses were connecting to Google.com and we're seeing this fraudulent certificate. 99% of them which were from Iran. So it was kind of a nation state attack against clients of either ISP based or a border gateway based where people were browsing were thinking they were browsing secured by HTTPS but they were actually not. This is a wonderful frame from the video. So the guys from Fox IT which investigated this breach they use the OCSP request. So every time you get a certificate your browser has to somehow figure out whether or not this certificate is still valid. If it has been revoked it would be nice to not use it anymore and one of the approaches which is used is so-called OCSP. So the client asks the certificate authority hey, is this still valid? And this have been locked. So each of these requests is one of the clients seeing this certificate, this fraudulent certificate and asking Digenotar hey, is this certificate still valid? And as you can see most of the connections it's actually a movie so you can see the lights flickering and popping up and down as people go to sleep and wake up again and most of the people were from Iran. So how did Digenotar got hacked? They got really, really badly hacked because they had vulnerabilities everywhere. They had a system running which was incomprehensibly insecure for a certification authority. So people think that if you run a certification authority you build the foundation for secure communication online. You are the one securing internet communication and if you run such an entity people think you know security. Actually, Digenotar did not. So they had unpatched software which was facing the internet might happen. They didn't have antivirus on the machines that issued this certificate. They didn't have a strong password for their admin accounts. So like password or admin. Actually, you can read the report online and the recommendations from Ines from the European security body. They listed all the things that have been found and identified. Also all the certification issuing servers were in one Windows domain and also what kind of bad from Digenotar they kept the incident secret. Of course, they did not want it to spread out to spoo into the internet. Hey, we got hacked and we have had bad security. They kept this incident hidden for more than two months. And after two months when it got public and when the internet found out then actually something really, really bad happened. They found out and Digenotar then went bankrupt. That's a sad ending of the story. But this is not one of the problems that certification authorities face. So if you run a certification authority you issue certificates based on the identity of your customers. So you can create sub-root CAs so you can say, hey, Martin, he looks like a nice guy. He looks like he knows security. Let's make him a CA and make him verify identities. Yeah, probably not a good idea, but this is what the business model of HTTPS and certification authority is. They issue certificates and they grant the permission to issue certificates as well. And the entire goal of these companies is to get into the trust stores. So every browser, every operating system, every thing that connects over TLS has something like a called trust store where it stores the entities which are entitled to issue certificates. And the problem is those CAs are not strictly audited. They have their requirements that they have fulfilled. They have to show that they have some kind of security, but afterwards once they are certified and once they are in the trust stores there's not such a strong incentive to audit them because they are already in trust stores and they had their audits and so forth. And this can lead to many problems. Another CA trust wave in 2011, it issued a sub-CA certificate. So any one with a sub-CA certificate can issue any domain, can issue a TLS certificate for any domain, and they used it for traffic introspection. So they were selling, I don't know, to a company which was building appliances which can break open the network connections for, I don't know, banks, companies, or entire ISPs so that they can look into the traffic of its users. Also there was Lenovo SuperFish, wonderful idea. SuperFish was a local man in the middle CA and the goal of the SuperFish CA was to break open HTTPS traffic so that they can inject ads. So even though you're using Gmail and you have this nice slick interface without obvious ads, SuperFish would break open this connection, would be trusted by the browser, and would have huge overlay ads with, yeah. Lenovo stopped cooperating with SuperFish, I think they made, this was pre-installed on Lenovo notebooks. So they had a local CA installed on the system so they could inspect the traffic and show ads to users. What's even more interesting is that all these CAs had the same key and the private key was in RAM. So anybody could extract the private key of this CA, use it to sign certificates for anything and have an additional layer of HTTPS injection where you could not only show ads but also read the emails or do whatever you want, very bad, they're not doing it allegedly anymore. Then there was in China, the CNNIC, they issued a sub CA for introspection companies. Again, company wanted to sell appliances where they could break open HTTPS connections and look into the traffic of the users. And there was another incident just this year, Symantec was issuing test certificates to a company or whatever, among them Google.com, Opera.com, so things you probably not would like to test, got caught. And the nice thing about this incident is they already had certificate transparency installed and we will come back to this incident in a minute. So traffic introspection is a valid thing. So if you have a fleet of planes and they are connected via expensive satellite connections and you really pay a lot for bandwidth, you would like to block, for example, Netflix or anything which causes a lot of traffic. One of the approaches which was taken by Gogo, they had traffic introspection device in their planes and they issued non-trusted certificates to inspect the traffic. Bad for them, Adrian Portafelt, who works for Google, noticed this and Gogo is not doing this anymore. Yeah, and even though traffic introspection sounds like a really bad thing, I can think of use cases where this is legit. If you run a company, if you run a bank and you wanna prevent people from leaking data, this can be okay, but it has to be transparent. People have to know that this is happening, that they are inspecting everything and still won't prevent people from carrying out the USB thumb drive with all the data on it. So this is the big picture why we need certificate transparency. We would like to see which certificates have been issued by a specific CA. Some minor issues, not really minor, that additionally come to place that TLS has its issues, nonetheless whether these certificates are issued or not. One of them is certificate revocation is tricky. So it's not as easy as just saying this certificate is not valid anymore. Once a certificate is issued, it is valid until the date shown in the certificate, which can be three years. So happens to be if on the first day of using this certificate, people notice we should revoke it. Clients that don't get this update will be able to use this certificate for two and more years so forth. Also another limitation is that all CA's can issue certificates for all websites. So any of those 1,800 CA's and sub CA's which were in trust stores in 2013, they can all issue a certificate for Google.com or Facebook.com. This is not prevented by any means, but social means and contracts, which states that they have to check the legitimacy of the request. This was published in a paper in 2013, so there are more than 1,800 CA's which can sign certificates for any domain in regular user devices. Another paper in 2014 found out that one third of them, one third of those 1,800 certification authorities never issued a single HDPS certificate. This makes you wonder why are they then in the trust store and so forth. You can claim a certain percentage of them, they are used for issuing private certificates, so within networks or whatever. Still one third of them never issued a publicly obtainable HDPS certificate. Then of course there are the implementation issues. TLS has a long history of implementation flaws, not just cryptographic, there's logjam, freak, poodle, whatever. They are a completely separate issue, but the implementation issues are troubling the device security on a constant pace. Famous example is GoToFail from iOS, where they had an additional GoToFail missing bracket and the certificate validity wasn't checked. Also, we have a lot of embedded devices. Once they are powered up, they used to generate their private key and they have no access to good entropy. Entropy on embedded devices is surprisingly hard. So a lot of them generate the same keys. And as already mentioned, we have different trust stores per browser, per operating system. Everyone has a different trust base. So of course every CA tries to get access into all of the trust stores, get shipped with system updates to be trusted, and yeah, we have a diversity which is not natural. Could be much easier if people would have the same trust base on all their devices. And there are plenty of deployment issues. SSLv2, everybody thinks it's that, but apparently it's not. Sebastian Schinsel will give a splendid presentation two hours from now about the drown attack and the drown attack uses SSLv2 weaknesses in email transport. Simply because it's activated and it uses the same key, you can attack top-notch TLS 1.2 encryption because this is still here. There's the whole schmawfu of the SHA-1 certificates. So certification authorities are not supposed to issue any SHA-1 certificates anymore. Some do, some get caught because they backdated their certificates and so forth. It's a mess. Then there are Cyphus suits. So there are more than 500 Cyphus suits available for the different version of TLS. Every admin would like to be secure as possible, but which should he choose? As soon as there's money involved like Amazon or they need to be compatible with Internet Explorer 6 and so forth. It's really a mess. Yes, and of course email, start TLS. Email never had the design to incorporate security and authentication. So as always, they just popped it on top and this is start TLS. Problem with start TLS is it can be suppressed and people will fall back to plain text if they cannot reach the service with start TLS. Perfect, forward secrecy and so forth. Deployment is another topic which can be a talk about. And there's this troublesome development that the CAs, they get bought and they get sold constantly. So just this year, Symantec bought the company Blue Code. Blue Code, so Symantec is one of the larger CAs. They run the entire, not the entire, but they run large parts of the certifications that are observable. Blue Code got popular in the Arab Spring because they found Blue Code proxies which are capable of using man and middle attacks to conduct traffic introspection have been used at an ISP, I think in Syria or Egypt. They found them and they have been deployed nationwide. So if you think about it, that Symantec, one of the larger CAs is buying a Blue Code, one of the larger traffic introspection companies, things can look really fishy or scary. Of course they promise they will never use the Symantec, yeah. So this is the state we're in. This is fine. It's not, but people still think about it, that HBS is safe, and actually it took a decade to teach people that they have to search for the lock icon. But if they do not understand, or actually they do not need to know how the lock icon appears, but the entire lock icon is far as if you dig into the details and yeah, we're all sitting in a room filled with flames, so to say. So this is where Certification, Certificate Transparency comes into play. Certificate Transparency has the goal to identify fraudulent certification authorities. In a perfect world, any certification authority would publish all its locks, would publish all the certificates it issues. So as soon as I get a certificate for Schmideka.net, the certification authority, this is public, this is part of the public private key, it can be public. So wouldn't it be nice if the CA would publish that it just issued a certificate for Schmideka.net? Basically yes, of course, certification authorities do not want this to happen, in particular if they're selling to funky states or funky businesses which earned their money with traffic introspection and so forth. So the perfect world would be the public key of each certificate would be published, the certification authority could say, hey, I just issued this certificate and everybody could see it, could verify it and it would be, well, a better world. Yeah, this would help to detect problems very early. So if a small Dutch certification authority would issue a certificate for Google.com or Torproject.com, this would be noticeable. I mean, this is a small CA, they would be really, I don't know, they should be really surprised if Google.com decides to issue a certificate for their service. This would shorten the window of opportunity for an attacker. Also, the idea is to have some form of punishment for misbehaving CAs. So at the moment right now, if a certification authority fucks up and Google is affected, they mandate that they need to have additional steps to be reintroduced into the trust stores. Yeah, so this is what Google did. They did the Power Ranger move and they decided they want to make the internet more secure. Why Google? Well, Google is uniquely positioned in a way that they control the clients with the browsers with the Android system and they also control a large portion of the servers. So everyone uses Google except for those that use Bing and other, no, just kidding. What Google did is once the DigiNotar hack got public, they pinned their certificates. So since Chrome has a decent update cycle, they can ship the certificates which they expect to see with the browser update. So as soon as browser updates in the background, it can enforce the specific certificate that it expects to see for Google.com, YouTube.com, and whatever. Also, it has a really huge market share, 50% and more depending on how you count. Chrome and Chromium are rather popular. And lastly, they are a common target. So if some dictator decides to introspect client emails, user emails, usually they target Gmail.com because they have a decent security, they do not have any other vulnerabilities or backdoors to allow access to their content, and which makes the attack to Gmail a very drastic attack. And with the changes that Google introduced into Chrome with the certificate pinning, they can now detect these attacks. But this was already back in 2011. Since then, for example, the Portafelt tweet I show you, if Chrome would go to a website, Google.com or YouTube.com, and would see a fraudulent certificate, they would warn the user. And what Google then did was to propose a standard to make an RFC, how to transparently publish the logs for certificates that have been issued. So the idea of the RFC is that every certificate issued is public. This is implemented in a public append only log. So they have a log, they have open APIs and they accept every certificate. Then cryptographically assured, the client, like the browser, can verify that this is a publicly logged certificate and the entire system is open for all. So you can go to the website, you can get the source code, you can run your own log for RFC 6962, and everyone is happy. So, and the goals were to detect misbehaving CAs. As I said, they have their audits, they have their compliance regulations and so forth, but not on the certificate level. With certificate transparency, they become auditable by the public, by the browsers. Everyone can query the logs and see whether or not this particular certification authority has issued a certificate for Google.com. All right, now upon reading the RFC, there are three entities which are part of certification transparency. Therefore, one, the logs, which are like giant vacuum cleaners. They ingest all the certificates which are sent to them and then cryptographically sign them and issue the assurance that this specific certificate has been logged and this has been issued and has not been tampered with and so forth. Then there are monitors, they identify suspicious certificates, usually these are the certification authorities themselves which run those monitors and then there are the auditors. The auditors usually are implemented in the browser and they verify that the issued certificates are really logged and looking at them in detail. The role of the monitor and the auditor is kind of interchangeably, so monitor can be an auditor back and forth, but what the monitor does is it fetches all the certificates. So you have this giant pool of certificates, they are cryptographically assured which we will see soon and the monitor just fetches them all and they have some form of semantic checking. They can see, has there been a certificate for my domain? Has there been any sub-CA created which is able to issue certificates for traffic introspection and so forth? Also what they can then with this data do is they can identify misbehaving log operators. I said the logs, they are just gigantic hoovers which collect all the certificates and they need auditing too of course. They need, they have a position of power because they're managing this huge pool of certificates and one needs to challenge the log to identify misbehavior and this can be done by the monitors, can also be done by the auditors. So every client right now it's implemented in Chrome. Chrome checks for these certification transparency cryptographically signed blocks and the browsers and everything, they can verify the log integrity of well. So in the backend, the log, it creates a hash tree, this hash tree is signed and we will come to that in a second, I got lost here. Yes, so both monitors and auditors, they query that the log entity is working correctly. It wouldn't be a good thing if China could go to Google and say to them, hey, we would like to have this certificate removed, Google could then comply or could not comply but whether they remove the certificate, this would be auditable and this would be observable to the public. So the good thing is anyone can run any software, any one of you in this room can run a log entity, you need to have some kind of access to certificates so whether you're a certification authority or you can just run a public log and everybody can push their certificates to your service. Right now this is not the case, usually the CAs run the monitors and they run the logs but this is not by design, anybody can run anything. One of the problems is availability. So even though I can set up a log for certificates, I have the problem that my log needs to be online 24 seven and my ISP is not happy if I ask him to guarantee this for me if I don't pay much, much, much more. So how does it work? Currently if you get a certificate, you go to the certification authority, you say, hey, I'm this wonderful domain, please could I get a certificate and then you get the certificate. What's additionally happening with certification transparency is that the CA upon issuing the certificate, this can be any CA, this can be let's encrypt, this can be authority, semantech, you name it. What they do is they send the certificate once they issued it. They send the certificate to one of the logs. The log then sign the successful reception of the certificate and immediately send something back. This blob is called the SCT, the signed certificate timestamp and this can then be included in the certificate or with other ways. But key point here is that once the server installs this certificate, it also installs this SCT so that browsers can see it and parse it. Yeah, some people I might have lost here. Nonetheless, everything is easier in pictures. So right now currently, and these are the pictures from the certification transparency website, thanks for making them. My tick skills are really not that good, so I would never have been able to make such beautiful graphs. So currently there's the certification authority, it issues a certificate and the website then installs it in the correct directory. The clients check it and encryption can happen. The additional step and this is the nice thing, it can happen without any additional steps on the server side and the client side, it's just that the certification authority needs to do an additional step. So instead of just issuing the certificate, they send the certificate to the logs. The logs immediately sends back the so-called SCT, the signed certificate timestamp and this is then included in the certificate which is shipped to the client. And then the client, if it supports it, can ask the server whether or not this particular certificate is included or not. The things that come back from the log, they are signed, they have an ID and they have a timestamp. These are the important things. They need to be included in those SCT. Also what will be interesting in the future is that certificate can have multiple log entries. So the SCTs like a promise, the log operator promises to include this certificate in its logs and everybody can check afterwards then if this log has really publicly logged or if the authority has omitted to log it. In the future, it will be the case that many SCTs can be within a certificate. So I can, if I am a certification authority, I can go to any log operator, send them every certificate I have and then include many, many SCTs. And the SCT is not private. This is just an ID, it's a timestamp and it's a signature. Yeah, this is probably too much. There are multiple ways for the client to verify that this certificate has an SCT. So one of the methods, for example, is OCSP stably. Right now, if you have a certificate instead of going to the CA, the server can staple the OCSP request signed by the CA and within this OCSP stapling, there can also be the SCT included. How does it work on the log side? Everything there is is a Merkle hash tree. A Merkle hash tree is a wonderful data structure. It's nothing new, it's nothing fancy and it's not the blockchain. The Merkle hash tree, it looks, it's a binary tree. So every node has two children and the hash value of an inner node depends on the two children. So usually it's the concatenation of the values of the two children gets hashed again up to the root. Makes it very space efficient because if I want to verify the integrity of one entire tree, all I have to check is the hash value of the root. Then, of course, I can get all the relevant hash values and then I can reconstruct it. CT uses SHA-256 Merkle tree and as I said, everything below a certain node is responsible for the hash value. So if you remove a node, if you add a node or if you relocate a node, the hash values of all the upper nodes get changed. So each of the log operators, additionally to the promise that it will include every certificate that it receives, it also gives a promise on the maximum merge delay. So the SCT, this promise to include this certificate chain into the log, it can only finish immediately because it's a promise to include this into the log. And the maximum merge delay is the time that the log operator promises to include it in the big, big Merkle hash tree. The good thing about the Merkle hash tree is despite being very space efficient, calculation efficient, not that much data overhead and so forth, it's not possible to backtake elements. This was interesting for one of the certification authority which issued SHA-1 sign certificates even though the browsers and everyone agreed that this should not happen anymore. It's also not possible to remove elements that have been once in there. So if Symmetek decided to remove the Google.com certificate, which was a test certificate, this would be noticeable as well because if you remove one of the leaves, the hash values up to the root, they all change. And it's also not possible to add elements. So if you would like to add an element unnoticeably, you cannot do this because the hash values of all the upper nodes would change. Yeah, so how do the logs operate? What they usually do is once every hour, they receive the certificates and once every hour, they include them into their Merkle hash tree. Probably already too much detail, but they build a separate tree and then include it and recalculate the root hash value which is then signed and shipped. And the nice thing about the Merkle tree is that you have multiple ways of proving things. So one of the things that can be proved is that whether or not this log operator is honest. So if a log operator removes one of the certificates, this becomes visible by changing all the relevant nodes. Yeah, also it's very efficient. Also figure from the project's website. So on the left side, you have a Merkle tree with some added certificates, some appended certificates. And if a monitor or an auditor decides to challenge the log operator at a later point in time, whether or not these certificates, D6 and D7 have been correctly added, all the log operator has to send are those highlighted nodes. This is the root. This is the thing that is signed, for example, every hour. This is public. The certificates, they are public because like there are certificates. And if now someone wants to verify that not only these have been included, this is very easy because they just have to calculate all the way up. But also verify that all the other certificates are still there. So none of the old certificates has been removed. There only needs to be three hash values transmitted. And then the challenger can recalculate everything. So as soon as the challenger knows those hash values, they can conkinate everything back together. And in the end, it should have the same hash value as the root. Another proof that is possible is that whether a specific certificate is still in the log. So it's not only possible to challenge the consistency of the entire log regarding old data, but it's also to verify that a specific certificate is still in the logs or made it into the logs. Remember, the SCT, the thing that finishes immediately, is just the promise to include it in the logs. And at the later point in time, the anyone, any auditor can challenge the log operator if the certificate is really in the log. So again, if I want to verify that a specific certificate is in the log, I have the certificate that I would like to challenge, then I just need in this example those three nodes and everything else, the J-node can be calculated because I have the certificate, then I have the hash of the certificate. I need this hash, then I can calculate this value and so forth until I'm at the root. So much for under the hood, Merkel hash tree are gone. One of the problems of those logs they are ever-growing, you might have noticed there is not a single word of deleting a certificate for valid reasons, they are ever-growing and of course, nothing is forever. So what log operators do is that they rotate the logs. So at a specific point in time, the log gets frozen, the tree is then static and there is another log entity which is brought online and used for including the newer certificates. Quite recently, Aviator from Google got frozen. It contains 46 million certificates. Small drawback of freezing a log is that as long as one certificate in this log, in this tree is still valid, this log needs to be reachable. As soon as all the certificates in the log have been expired, it can be dumped but until that, it has to be available for the proofs. One of the issues is that right now there are just a few log operators. In the future, there should be many more, not hundreds, thousands of them but maybe hundreds of them and they need to exchange information. So some form of log chatter should appear where the log operators chatter with the clients to verify that they all see the same state of the Merkel trees and this has been published in a paper last year. Right now, the idea is not yet at a level where they need to chatter, which we will soon see. This happens when you create memes on the train. Usually, they're very bad memes but this is apparently gossip, girl. I've never seen it but if you Google gossip and meme, ta-da. So, who now runs the log? Who are the entities which are actively running logs? Of course, Google is running the majority of them. They proposed the entire thing. They wrote the code to run these things and they run the large open for all certificate logs. Three of them currently are open for all. Another one is for let's encrypt certificates and another one is for non-let's encrypt certificates. Of course, let's encrypt issues a lot of certificates, thankfully, so they separated that apparently. If you read the mailing list, they promise that these three open for all logs are separated geographically and administratively, so they are run by different entities but again, they all have the same boss and some way there would be, it would be better if there would be more open logs, so to say. Sumantec has one woe sign CNNIC. Every time Google detects that a fraudulent certificate for Google.com has been issued, those certification authorities are mandated to run CT, which is a good thing, I mean, public and everything. Also, from Google has tens of millions certificates in them. They really have an open for all log so everyone can push certificates in there. Digitec, Sumantec is kind of big but all the other nodes which are listed on the websites, they have 100,000-ish certificates which is not that much compared to 50 million or 60 millions. Right now, Google already mandates certification transparency for extended validity certificate. So if you not only see the green text up in the left corner of your browser but also some fancy name and the big, big green, whatever, this is an EV cert and Google mandates for EV certs to have two SETs. Firefox is in the process of including it, I think. Yeah. Also, apparently certificate transparency works because when Sumantec issued this certificate for Google.com, they released a report stating that they found 23 test certificates. Sumantec said it issued 23 test certificates but the logs are public, anybody can query them and within seconds you can see that Sumantec issued also another 164 certificates for other domains and also two and a half thousand certificates for non-existing domains, just regarding this one issue. So I need to hurry, time is running out. Some of the downsides of certification transparency of course privacy, people can learn your internal hosts. So if you have a NAS for example and this NAS is only reachable within your LAN and you wanna get rid of the browser warning whenever you access the interface of your NAS, you can get a Latin Crypt certificate but since not only the certificate is published but also it's logged, people can see in the public log files that there is for your domain and NAS. Also, log entries must contain the entire chain up to a trusted root certificate which excludes everything which is self-signed and everything which is Dain. Dain is for verifying TLS certificates using DNSSEC and since these two have no trusted root, they are currently not working for certificate transparency. Now, of course you wanna see the data, you wanna see, you wanna play around with this. Basically what you can query, everything is JSON. So if you know JSON, you can work with certificate transparency. The basic URL is like this, the URL is any log server responds with the current root and its signature using this URL. Most interestingly, it gives you also the number of certificates and the timestamp. It looks then like this, JSON, so you have, this is the aviator log from Google which is now frozen, has 46 something million certificates. The hash value of the Merkle tree and the signature. Also you can challenge the certification logs with consistency proofs where you have two states of their tree and the log has to prove that it did not modify anything in between them. And of course you can verify that specific certificate is in the tree with the second URL. And you can just push certificates there with a post request, so you push it, they send back the SCT. If you're the log operator, you would then include this. So any website right now which is not using SCT, all it takes is a post request, nothing more. Yeah, some screens from the internals. So this is for Google.com in the net internals view. What you can see is that signed certificate in time send, the SCT is received. It is valid and compliance is checked. So this was for Google.com and everything worked out. Last but not least, just to mention it, Komodo operates a large search engine, CRT.sh, there you can query the public logs. And also Facebook recently added a monitor for certificates, so if you own a domain name and you use an entity which, no, if you own a domain, you can get updates if the certificate changes. So they also monitor the public logs. And as soon as, for example, Facebook.com uses a new certificate that is locked in CT, you can get a notification for that. This is what it looks like. Remember, Facebook also can send PGP encrypted mails then nothing leaks to anyone. This screenshot was borrowed from Scott Heyman. So what's next? Just few, one month ago, Google announced that it will mandate certificate transparency from October 2017 on. So if you run a website which is secured by TLS, you might want to check before that date whether or not your certification authority is using certification transparency. I would expect to have more logs and more certificates included in the logs. Yeah, in the far future, basically the idea of transparency in this Merkle tree is open for anything. You could put key management, software releases, anything in there. The team at Google, they also build a prototype for that called Trillian and described in the paper verifiable data structure. Before we come to the end and questions, there is a distinction. Of course, you could solve this problem with blockchain as well. But a Merkle hash tree is much more efficient, much more elegant, anything. When I talked to the colleague on the train here, he said, yeah, of course, you could just push the log into the blockchain, but yeah, not the same thing. Thank you. Thank you, Martin, for a very interesting talk. We have a few more minutes left for Q&A. So if you have a question, please line up next to the microphones and ask your question. Reminded that a question has a question mark at the end. Also, if you are exiting, please do so silently and from the front door, please. If you are exiting from the front door, thank you. I think we have a question over there. Okay. Do you can recommend some lifts or software where I can download and where I can accomplish the TLS handshake from the client side so I can get the SCT via TLS extension, via OCSP extension, via the inherited pre-certificate SCT? Not by heart. I mean, if it's part of the TLS certificate, anything will go open SSL, whatever. It's just a field. Same is for OCSP, so anything that does OCSP will include it. It's just that clients that do not know the extension will just not, they will ignore it. But anything that does OCSP or SSL handshake will work. Thank you. A question from this microphone. Hello, thank you very much for the nice talk. I wanna do you know how much space is needed to store all the logs currently? I had the same question, but unfortunately not, no. I can, no. But what they store is the tree and they store the entire chain, excluding the root certificates. So probably like two, three, four certificates per entry, which is like, I think you can buy at the regular electronic markets a hard drive which is able to fit a lot of those entries. Next question from that microphone. Yeah, thank you for the talk. Why do you need two SCTs for extended validation? Because a single entity might cheat. So it's like, even though it's, you can detect it, it's still a timeframe left. And if you have two SCTs which are operated independently, the idea is that it's not that likely that they too will collaborate to make a certificate disappear. Thanks. That microphone, yes. I'm actually a bit surprised because Google has been pushing for making the server hello as small as possible. And of course this is increasing the server hello with, in this case, an SCT. And of course they're also doing, well, they are also doing OCSC taping. So that makes it even bigger. And this is like a SHA-256. So we're talking 256 bits there, plus another one you said that one is not enough. Actually, I've never seen any that has more than one SCT. Have you? No, okay. Not yet. I've looked around, but nothing. So yeah, it's actually increasing the size. And I'm just wondering, where is this going? Are we just gonna eat the cost of having all these SCTs and OCSC taping, or are we prepared to eat that cost? If you, I think the cost is small compared to the gain you get by HTTP2. So if you pipe anything to one singular connection, I think it's not that of a cost anymore. But of course, this is a policy thing to require a certain amount of SCTs to prevent fraudulent CAs, yeah. Yes. Is the idea that this will replace something like the SSL observatory where browsers send in certs they see, and then, you nodded, so I'm gonna assume yes. And then also like, how does this work for people who can't have their certs be public, for people who are like issuing things for internal networks? If you can't have the certificate public, probably the better way right now is to have a certification authority which is not using CT. In the future, it makes it much more expensive. So you have to operate your own CA. You can incorporate it in the trust stores. But of course, this is costly. You have to sign the certificate and everything. But if like for, in October 2017, when Chrome rejects all certs that don't have signed timestamps, like what do I do? Use Edge. I'm sure you can disable it somehow, but it's broiler, yeah. Just a question. What about the decentralized SCT with DHT over system? Not blockchain, of course. It's possible to do that without some trial authorities? Sorry, say again. My English is very bad, I'm sorry. No. I say it is possible to do that without some trial authority like Google or over SCT, but with distributed HTable like DHT technologies? Yes, yes, of course. And there are an existing implementation? For the centralized thing, yes. Not for the distributed thing. But I think it's just add in a layer of DHT on top of it. So I am sure you can think of a browser extension which uses the DHT to obtain the SCTs. But right now it's just purely centralized, but the source is open. Okay, thank you. Hey, so I was just curious how it works if you have a certificate which gets revoked in context of the tree, especially if the tree is frozen. So how does this work? How do you revoke a certificate with a tree and then how does it work if it's frozen already? Good question. So the goal of SCT is not about revocation. So whether the revocation path is taken regularly, so you ask OCSP, it's independent of the revocation thing. It's just publicly saying that this certificate has been issued. So removing a certificate from the tree which has been revoked is not part of the specification. This is not the use case. It's just logging the certificates which have been issued. But if you audit all the logs and you want to know if something is going on, it shouldn't be going on. Wouldn't you want to know whether the certificate has been revoked at some point? Yes, but not in the logs. The logs are just to prove that the CA has issued this certificate and to prove that the log has correctly logged it. Revocation is different. Usually OCSP is stapling with the CA, but that's a different channel. So this is not for certificate transparency. Thank you. Okay, that's all the time we have for Q&A. Big round of applause again for Martin for the talk.