Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Recommend that Certificate Transparency Logs reject expired certificates #7

Open
taknira opened this issue Apr 28, 2017 · 0 comments
Open

Comments

@taknira
Copy link

taknira commented Apr 28, 2017

Potential Attack:

  • Suppose one of the accepted root certs of a CT Log expires on Jan5 of a year.
  • After Jan5, the CA who owned the root cert, is no longer required to keep the keys for that root certificate a secret, or protected in any way [needs citation]. So suppose on Jan6 an attacker gets hold of the keys for that now-expired root cert.
  • Suppose said attacker then issues loads (for some value of loads that would be too much for a log to handle) of certificates that have a ‘Not After’ value of Jan4. These would be already-expired certificates, so are no use for server impersonation, but could be used to attack a CT Log if it accepts expired certificates…
  • Suppose on Jan6 the attacker submits all of the loads of certificates to the Log. The Log could be DoS’d into oblivion, and/or filled until it reaches a size greater than the Log can handle.

Mitigation:

Recommend that CT Logs only accept certificates that have a 'Not After' value later than the time of submission to the Log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant