Efficient Gossip Protocols for Verifying the Consistency of Certificate Logs

TL;DR

This paper introduces efficient gossip protocols that enable clients to verify the consistency and honesty of certificate logs, addressing a critical gap in trust and transparency in log-based security systems.

Contribution

It presents the first gossip protocols for log consistency verification, along with analysis, simulation results, deployment plans, and implementation details.

Findings

Protocols effectively detect log inconsistencies

Simulation shows practical efficiency on real traffic

Deployment plan facilitates real-world adoption

Abstract

The level of trust accorded to certification authorities has been decreasing over the last few years as several cases of misbehavior and compromise have been observed. Log-based approaches, such as Certificate Transparency, ensure that fraudulent TLS certificates become publicly visible. However, a key element that log-based approaches still lack is a way for clients to verify that the log behaves in a consistent and honest manner. This task is challenging due to privacy, efficiency, and deployability reasons. In this paper, we propose the first (to the best of our knowledge) gossip protocols that enable the detection of log inconsistencies. We analyze these protocols and present the results of a simulation based on real Internet traffic traces. We also give a deployment plan, discuss technical issues, and present an implementation.