[SSL Observatory] [Notary] Passive certificate notarization by an IDS; divergent query protocols

Zack Weinberg zackw at cmu.edu
Tue Mar 5 11:52:57 PST 2013 

On Wed, Feb 27, 2013 at 9:05 PM, Matthias Vallentin <vallentin at icir.org> wrote:
>> Before I sit down and pound out a bunch of code, I was wondering if
>> anyone has already written something that does this (ideally for Bro,
>> but we could talk about other IDSes as well).
>
> Since recently the master branch of Bro contains a script "notary.bro"
> [1] that does exactly what you are looking for: it SHA-hashes X.509
> certificates flying by and asks the ICSI notary via DNS whether (i)
> the notary deems a certificate valid, (ii) when it has been seen the
> first time, (iii) the last time, (iv) and how many days in between.
> This extra information then goes into the ssl.log file that you may
> already know. This relatively new script has only gone through basic
> unit testing, so any feedback would be highly appreciated.

Thanks for the pointer; I had checked out the master branch but
somehow failed to notice that script.  It looks like it will do what I
want at least on paper; I will experiment and let you know how it
goes.

> In the context of real-time monitoring of a large number of
> certificates, we needed to resort to a decentralized and scalable
> protocol, for which DNS fits perfectly well. We did not want to
> reinvent a custom distribution layer because DNS with its caching
> abilities provides all we need.
...

The big problem I have with the DNS-based protocol is that if you get
a negative response for a certificate fingerprint, there's no way to
ask the notary what it thinks the certificate _should have been_ for
that host+port.  This is important for e.g. recognizing when a change
is due to normal replacement of an expired certificate.

Now, the flip side of that is that a query "what certificate for this
host+port?" is more privacy-sensitive than a query "what do you think
of the certificate with this fingerprint?"  But I suspect that an
eavesdropper on the client will be able to figure out everything
anyway.

zw

More information about the Observatory mailing list