[cabfpub] FW: [cabfquest] Ballot 114 - Security concerns on verifying "ownership" of .onion domain names

[Ryan Sleevi]

Adrien,

While I unfortunately cannot post your response to the list, I think you
will find that if, in your threat model, you replace "1024-bit .onion key"
with insecure DNS, you will find the same conclusions - or worse.

That is, from a client's perspective, any on-path adversary may me
modifying DNS traffic. Note that DNSSEC doesn't change this - there is
still ample opportunity for on-path tampering (albeit more so through legal
and extralegal means than technical). Likewise, from the point of view of
an issuing CA, there is ample opportunity for a CA to have issued an
attacker a certificate, due to the CA's reliance on DNS.

This does not mean that the effective security of an SSL certificate is
zero. If you apply your logic - that is, that the weakest link is the
.onion name - to DNS, then SSL provides zero effective security for
DNS-based issuances. While there are some more radical parties that would
happily argue that, I do hope that is not the position you would take.

Instead, we should look at it for what it is - an assertion that a party
with practical control over a name has been issued a certificate.

While the certificates issued for these .onion names are not required by
the Forum to be logged in Certificate Transparency logs, they are in
practice required so if someone wants to use these with Chrome. This is not
to suggest that CT serves as a dispute resolution mechanism - both parties
are valid for the domain - it allows the legitimate party (for we are
talking threat models) to be aware of the conflict and take appropriate
steps.

Again, I think it is important to evaluate how issuance presently works for
DNS, despite the attractiveness of focusing on more esoteric aspects such
as factoring. In today's model, an attacker only need gain temporary
control over the DNS to obtain such a certificate, and it would be
virtually unknown (until CT is used for all certificate types). We see
registries hacked on a daily basis, so this is not in the realm of
esoteria. However, with .onion, an attacker who either factored such a key
or generated a collision (the former which, I agree, we should consider
within the realm of well-funded nation states and corporations), then the
best the attacker has done is compromise the DNS. Further, due to the
(effective) logging requirement applying to all of .onion, this provides
_greater_ signal than any issuance possible by any CA today. That is, while
an attacker of DNS can downgrade EV to DV, an attacker of .onion cannot.

I think you will see that these concerns of yours were very much the
forefront of the discussion, and that your conclusions on the effective
security levels or misrepresentation of strength, while well intentioned,
are unfortunately (or fortunately...) off the mark.

Hopefully this will assuage your concerns. As I said, if there is still
conflict or concern, it would be best to think first in terms of "how would
this attack apply to DNS," and explore the similarities and differences.

Cheers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150301/cfbfc888/attachment.html