[SSL Observatory] [Notary] Passive certificate notarization by an IDS; divergent query protocols
Zack Weinberg
zackw at cmu.edu
Tue Mar 5 11:52:57 PST 2013
On Wed, Feb 27, 2013 at 9:05 PM, Matthias Vallentin <vallentin at icir.org> wrote:
>> Before I sit down and pound out a bunch of code, I was wondering if
>> anyone has already written something that does this (ideally for Bro,
>> but we could talk about other IDSes as well).
>
> Since recently the master branch of Bro contains a script "notary.bro"
> [1] that does exactly what you are looking for: it SHA-hashes X.509
> certificates flying by and asks the ICSI notary via DNS whether (i)
> the notary deems a certificate valid, (ii) when it has been seen the
> first time, (iii) the last time, (iv) and how many days in between.
> This extra information then goes into the ssl.log file that you may
> already know. This relatively new script has only gone through basic
> unit testing, so any feedback would be highly appreciated.
Thanks for the pointer; I had checked out the master branch but
somehow failed to notice that script. It looks like it will do what I
want at least on paper; I will experiment and let you know how it
goes.
> In the context of real-time monitoring of a large number of
> certificates, we needed to resort to a decentralized and scalable
> protocol, for which DNS fits perfectly well. We did not want to
> reinvent a custom distribution layer because DNS with its caching
> abilities provides all we need.
...
The big problem I have with the DNS-based protocol is that if you get
a negative response for a certificate fingerprint, there's no way to
ask the notary what it thinks the certificate _should have been_ for
that host+port. This is important for e.g. recognizing when a change
is due to normal replacement of an expired certificate.
Now, the flip side of that is that a query "what certificate for this
host+port?" is more privacy-sensitive than a query "what do you think
of the certificate with this fingerprint?" But I suspect that an
eavesdropper on the client will be able to figure out everything
anyway.
zw
More information about the Observatory
mailing list