23

Ben Laurie's original paper on Certificate Transparency proposed that clients (browsers) should "gossip". In particular, it proposed that when a browser connects to a web server, it should send to the server the latest signed tree head from a Certificate Transparency log. This enables comparing what different browsers are seeing, and enables detecting some attacks where the CT log server equivocates and serves different logs to different entities. However, the paper also mentions that this idea is tentative and still being explored.

Was anything like this ever implemented and adopted? What was the ultimate decision on gossip?

nobody
  • 11,251
  • 1
  • 41
  • 60
D.W.
  • 98,420
  • 30
  • 267
  • 572

2 Answers2

10

Doesn't look like gossiping is going to happen at scale

I think Emily Stark is in charge of CT on the Google Chrome side. And I think CT was largely a Google brainchild, so she is probably a good person to listen to.

And she wrote a nice primer on CT last year:

Gossip is mentioned as such:

There has been an attempt to define gossip protocols for exchanging STHs, but they haven’t been widely deployed yet. Most likely, centralization will turn out to be key. It’s not particularly likely that every browser user will gossip STHs with every other browser user, but it is more feasible for a handful of browser vendors to gossip with one another and then distribute these gossiped STHs to their users.

And she posted a CT thread on Twitter yesterday:

There gossipping is NOT mentioned. Instead it's about SCT auditing. Which, if I understand correctly, does mostly the same job as gossipping: It verifies consistency.

Most relevant tweet there:

4/ While SCT auditing has been talked about for years, no browser that I know of has ever actually deployed it.

Something a little older: Andrew Ayer blogged in 2018:

and he mentioned this:

In March 2017, SSLMate started operating the world's second Certificate Transparency gossip endpoint (Graham Edgecombe gets credit for the first) to provide further resiliency to the Certificate Transparency ecosystem.

And he points to Graham Edgecombe's site:

And there's only three gossip monitors listed in total. So not a lot. (But maybe I'm confusing the centralized vs. decentralized gossip again, here.)

StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
  • 2
    LOL -- the point of gossip is to further de-centralize CT accountability (ie that browsers are all seeing the same thing from their respective subnets?). So _"Most likely, centralization will turn out to be key."_ is amusing. – Mike Ounsworth Mar 04 '21 at 15:51
  • @MikeOunsworth: Kinda. They seem to have given up on that original idea, yeah. – StackzOfZtuff Mar 04 '21 at 21:36
7

Searching for the term 'gossip' in the chromium and Firefox sources gives no relevant results. Nor can I find any other reference to gossip in browsers elsewhere. So I believe browsers have not implemented any form of gossip yet.

In fact, there has been no ultimate decision on gossip yet, since RFC6962 says that all CT clients should gossip, and that the exact mechanism for gossiping will be discussed in another document. However, as yet, there is only an (expired) IETF draft on this, no RFC.

Also note that CT clients also include monitors and certificate submitters, not just browsers.

However, some form of gossiping has been implemented. SSLMate has a lightweight python script called CT-Honeybee which allows gossiping by pulling SCTs from a hardcoded list of logs and sending them to two "auditors":

and

ct.grahamedgecombe.com further gossips these with Chromium STHSets and Google's monitors. So basically, there is no official version of gossiping yet, but some people are gossiping around informally (and you can participate in the fun!) However, since browsers do not participate, the effectiveness may be somewhat limited.

nobody
  • 11,251
  • 1
  • 41
  • 60