Chromium Code Reviews Chromium Code Reviews
Issue 2756633002:
Add documentation for Certificate Transparency in //net (Closed)
| OLD | NEW |
|---|---|
| (Empty) | |
| 1 # Certificate Transparency | |
| 2 | |
| 3 ## Overview | |
| 4 | |
| 5 [Certificate Transparency](http://www.certificate-transparency.org/) (CT) is a | |
| 6 protocol designed to fix several structural flaws in the SSL/TLS certificate | |
| 7 ecosystem. Described by [RFC 6962](https://tools.ietf.org/html/rfc6962) and | |
| 8 the ongoing work in [RFC 6962-bis](https://datatracker.ietf.org/doc/draft-ietf-t rans-rfc6962-bis/), | |
| 9 it provides a means of providing a public, append-only data structure that | |
| 10 can log certificates issued by [certificate authorities](https://en.wikipedia.or g/wiki/Certificate_authority) (CAs). | |
| 11 By logging these certificates, it becomes possible for site operators to | |
| 12 detect when a certificate may have been issued for their domain without their | |
| 13 approval, and allows browsers and the wider ecosystem to verify that CAs | |
| 14 are following their expected and disclosed practices. | |
| 15 | |
| 16 ## Certificate Transparency Basics | |
| 17 | |
| 18 Broadly speaking, the goal of supporting Certificate Transparency is to ensure | |
| 19 that certificates that an application trusts will be publicly disclosed in a | |
|
Eran Messeri
2017/03/16 12:10:28
very small nit: that ... that
Can the 2nd 'that'
Ryan Sleevi
2017/03/16 14:10:35
Yup. Thanks
| |
| 20 way sufficient for site operators and application developers to ensure that | |
| 21 nothing is wrong. | |
| 22 | |
| 23 At its most basic level, it's possible to simply introduce Certificate | |
| 24 Transparency logs as trusted third parties, much like CAs are trusted third | |
| 25 parties. If the logs are operated by CAs, this may not be much of a security | |
| 26 improvement, but if the logs are operated by non-CA entities, this might serve | |
| 27 as a sufficient counter-balance to the risks. | |
| 28 | |
| 29 However, with more work, it's possible to minimize the trust afforded to CT | |
| 30 logs, and to automatically and cryptographically verify they're complying with | |
| 31 their stated policies. This can provide even greater assurance to application | |
| 32 developers, site operators, and their users, that the security expected from | |
| 33 certificates is actually being provided. | |
| 34 | |
| 35 For a more thorough threat analysis, see | |
| 36 https://datatracker.ietf.org/doc/draft-ietf-trans-threat-analysis/ that | |
| 37 discusses the different risks in Certificate Transparency, and how the | |
| 38 protocol addresses them. | |
| 39 | |
| 40 ## Certificate Transparency in `//net` | |
| 41 | |
| 42 A goal of `//net` is to try to ensure that code is 'safe by default' when | |
| 43 used. As part of serving that goal, in order to make a TLS or QUIC connection | |
| 44 using code in `//net`, it's necessary for the `//net` embedder to make | |
| 45 a decision about Certificate Transparency, much like it is necessary to | |
| 46 provide a [`CertVerifier`](../cert/cert_verifier.h) that describes how to | |
| 47 verify the server's certificate. | |
| 48 | |
| 49 Because this is necessary to make a TLS or QUIC connection, this requirement | |
| 50 surfaces upwards through each layer in the stack - applying to things like the | |
| 51 [`HttpNetworkSession`](../http/http_network_session.h) and upwards to the | |
| 52 [`URLRequestContext`](../url_request/url_request_context.h). | |
| 53 | |
| 54 This requirement is expressed by requiring two separate, but related, objects | |
| 55 to be supplied: A [`CTVerifier`](../cert/ct_verifier.h) and a | |
| 56 [`CTPolicyEnforcer`](../cert/ct_policy_enforcer.h), which together can be used | |
| 57 to express an application's policies with respect to Certificate Transparency. | |
| 58 | |
| 59 As part of the goal of ensuring 'safe by default', `//net` also has various | |
| 60 policies related to certificates issues by particular certificate authorities | |
| 61 whose past actions have created unnecessary security risk for TLS connections, | |
| 62 and as a consequence, are required to have their certificates disclosed using | |
| 63 Certificate Transparency in order to ensure that the security provided by | |
| 64 certificates from these CAs matches the level of security and assurance that | |
| 65 other CAs provide. These policies are implemented in | |
| 66 [`TransportSecurityState`](../http/transport_security_state.cc), via the | |
| 67 `ShouldRequireCT` method | |
| 68 | |
| 69 ### CTVerifier | |
| 70 | |
| 71 The `CTVerifier` is the core class for parsing and validating the structures | |
| 72 defined in RFC6962 (or future versions), and providing basic information about | |
| 73 the [`SignedCertificateTimestamps`](https://tools.ietf.org/html/rfc6962#section- 3.2) | |
| 74 present within the connection. | |
| 75 | |
| 76 ### CTPolicyEnforcer | |
| 77 | |
| 78 The `CTPolicyEnforcer` is the core class for expressing an application's | |
| 79 policies around how it expects Certificate Transparency to be used by the | |
| 80 certificates it trusts and the certificate authorities that issue these | |
| 81 certificates. | |
| 82 | |
| 83 The `CTPolicyEnforcer` currently expresses two policies: | |
| 84 * How to treat [Extended Validation](https://cabforum.org/extended-validation- 2/) | |
| 85 certificates (those for which a [`CertVerifier`](../cert/cert_verifier.h) | |
| 86 returned `CERT_STATUS_IS_EV`) | |
| 87 * How to treat all certificates, regardless of EV status. | |
| 88 | |
| 89 ### TransportSecurityState | |
| 90 | |
| 91 The `TransportSecurityState::ShouldRequireCT` method implements the core logic | |
| 92 for determining whether or not a connection attempt should be rejected if it | |
| 93 does not comply with an application's Certificate Transparency policy. | |
| 94 | |
| 95 The implementation in `//net` provides a default implementation that tries to | |
| 96 ensure maximum security, by causing connections that fail to abide by an | |
| 97 application's CT policy that are from CAs known to have security issues in the | |
| 98 past. | |
| 99 | |
| 100 Embedders can customize or override this by providing a | |
| 101 `TransportSecurityState::RequireCTDelegate` implementation, which allows | |
|
Eran Messeri
2017/03/16 12:10:27
Do I understand correctly that if said TransportSe
Ryan Sleevi
2017/03/16 14:10:35
Nope, because the CTPolicyEnforcer is still called
| |
| 102 applications to inspect the connection information and determine whether | |
| 103 CT should be required, CT should not be required, or whether the default logic | |
| 104 in `//net` should be used. | |
| 105 | |
| 106 ## Certificate Transparency in Chromium | |
| 107 | |
| 108 As part of the open-source implementation of Chrome, the policies related to | |
| 109 how Chromium code treats Certificate Transparency are documented at | |
| 110 https://www.chromium.org/Home/chromium-security/certificate-transparency . This | |
| 111 page includes the policies for how Chromium determines an acceptable set of | |
| 112 CT logs and what CT-related information is expected to accompany certificates, | |
| 113 both for EV and non-EV. | |
| 114 | |
| 115 The implementation of these policies lives within [`//net/cert`](../cert), and | |
| 116 include: | |
| 117 * [`ct_known_logs.h`](../cert/ct_known_logs.h): The set of CT logs known and | |
| 118 qualified according to Chromium's | |
| 119 [Certificate Transparency Log Policy](https://www.chromium.org/Home/chromium -security/certificate-transparency/log-policy) | |
| 120 * ['multi_log_ct_verifier.h`](../cert/multi_log_ct_verifier.h): Capable of | |
| 121 parsing SCTs from a variety of logs and validating their signatures, using | |
| 122 the keys and information provided by `ct_known_logs.h`. | |
| 123 * [`ct_policy_enforcer.h`](../cert/ct_policy_enforcer.h): A base class that | |
| 124 implements the Certificate Transparency in Chrome Policy, for both EV and | |
| 125 non-EV certificates. | |
| 126 | |
| 127 ## Certificate Transparency for `//net` Consumers | |
| 128 | |
| 129 Not every TLS connection may need the security assurances that | |
| 130 Certificate Transparency aims to provide. For example, some consumers of | |
| 131 `//net` APIs in Chromium use mutual authentication with self-signed | |
| 132 certificates and which are authenticated out-of-band. For these connections, | |
| 133 Certificate Transparency is not relevant, and it's not necessary to parse | |
| 134 or enforce CT related information. | |
| 135 | |
| 136 For these cases, the approach is: | |
| 137 * [`do_nothing_ct_verifier.h`](../cert/do_nothing_ct_verifier.h): A no-op | |
| 138 CTVerifier that does not parse or verify CT-related information. | |
| 139 * A derived `CTPolicyEnforcer` implementation that indicates all | |
| 140 certificates comply with its policies. | |
| 141 **TODO(rsleevi):** Provide a DoNothingCTPolicyEnforcer | |
| 142 | |
| 143 As documented in these classes, care should be taken before using these, as | |
| 144 they provide much weaker security guarantees. In general, emailing | |
| 145 net-dev@chromium.org or discussing it during a security review is the right | |
| 146 answer, and documenting at the instantiation points why it is safe and | |
| 147 acceptable to use these classes. | |
| 148 | |
| 149 ## Certificate Transparency for `//net` Embedders | |
| 150 | |
| 151 For projects and third party products that embed `//net`, the policies | |
| 152 that are included as part of the open-source repository may not be | |
| 153 appropriate. This is because the implementations may rely implicitly | |
| 154 or explicitly on several key guarantees that come from Google-branded | |
| 155 distributions and products, and may not be appropriate for other cases. | |
| 156 | |
| 157 These key expectations are: | |
| 158 * A release cycle aligned with Chrome releases; that is, every six weeks, | |
| 159 and on the same versions as Chrome releases. | |
| 160 * Widespread support for automatic updates. | |
| 161 * That [`base::GetBuildTime()`](../../base/build_time.h) will reflect, to | |
| 162 some degree, when the tree was branched and/or released, and will not | |
| 163 be re-generated on recompilation. That is, this implies is_official_build | |
| 164 for binaries released to end-users, but is not enforced in code so that | |
| 165 developers can accurately test release behavior. | |
| 166 * Support for dynamic [`base::FieldTrial`](../../base/metrics/field_trial.h) | |
| 167 configurations. | |
| 168 | |
| 169 For projects that don't support automatic updates, or which measure 'stable' | |
| 170 on the order of months to years, or which don't have tools suitable to | |
| 171 respond to changes in the Certificate Authority and Certificate Transparency | |
| 172 ecosystem, it may not be appropriate to enable Certificate Transparency | |
| 173 support yet. | |
| 174 | |
| 175 These issues are not unique or particular to Certificate Transparency - in | |
| 176 many ways, they're similar to issues already faced with determining which | |
| 177 certificate authorities are trusted and how to successfully validate a | |
| 178 TLS server's certificate. However, as the Certificate Transparency ecosystem | |
| 179 is still growing, it may be suitable to disable support until some of the | |
| 180 solutions to these challenges stablize. | |
| 181 | |
| 182 To opt-out of enforcing Certificate Transparency, using the `DoNothing` | |
| 183 variants discussed above provides a suitable implementation that will opt to | |
| 184 'fail open' instead. This may provide less security, but provides greater | |
| 185 stability, and minimizes the risk that these `//net` embedding clients | |
| 186 might cause to the CT ecosystem or receive from enabling CT. | |
| OLD | NEW |
