Aggregation-Based Gossip for Certificate Transparency

by   Rasmus Dahlberg, et al.
Karlstad University

Certificate Transparency (CT) is a project that mandates public logging of TLS certificates issued by certificate authorities. While a CT log is designed to be trustless, it relies on the assumption that every client sees and cryptographically verifies the same log. The solution to this problem is a gossip mechanism that ensures that clients share the same view of the logs. Despite CT being added to Google Chrome, no gossip mechanism is pending wide deployment. We suggest an aggregation-based gossip mechanism that passively observes cryptographic material that CT logs emit in plaintext, aggregating at packet processors and periodically verifying log consistency off-path. Based on 20 days of RIPE Atlas measurements that represents clients from 3500 autonomous systems and 40 for a realistic threat model with significant protection against undetected log misbehavior. We also discuss how to instantiate aggregation-based gossip on a variety of packet processors, and show that our P4 and XDP proof-of-concepts implementations run at line-speed.



There are no comments yet.


page 1

page 2

page 3

page 4


SoK: SCT Auditing in Certificate Transparency

The Web public key infrastructure is essential to providing secure commu...

The Rise of Certificate Transparency and Its Implications on the Internet Ecosystem

In this paper, we analyze the evolution of Certificate Transparency (CT)...

Postcertificates for Revocation Transparency

The modern Internet is highly dependent on trust communicated via certif...

Characterizing the Root Landscape of Certificate Transparency Logs

Internet security and privacy stand on the trustworthiness of public cer...

Finding Phish in a Haystack: A Pipeline for Phishing Classification on Certificate Transparency Logs

Current popular phishing prevention techniques mainly utilize reactive b...

Verifiable Light-Weight Monitoring for Certificate Transparency Logs

Trust in publicly verifiable Certificate Transparency (CT) logs is reduc...

Think Global, Act Local: Gossip and Client Audits in Verifiable Data Structures

In recent years, there has been increasing recognition of the benefits o...

Code Repositories


Aggregation-Based Gossip for Certificate Transparency

view repo
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

The HTTPS ecosystem is going through a paradigm shift. As opposed to blindly trusting that Certificate Authorities (CAs) only issue certificates to the rightful domain owners—a model known for its weakest-link security [19]—transparency into the set of issued certificates is incrementally being required by major browser vendors [1, 36]. This transparency is forced and takes the form of Certificate Transparency (CT) logs: the idea is to reject any TLS certificate that have yet to be publicly logged, such that domain owners can monitor the logs for client-accepted certificates to detect certificate mis-issuance after the fact [31]. While the requirement of certificate logging is a significant improvement to the HTTPS ecosystem, the underlying problem of trusting CAs cannot be solved by the status quo of trusted CT logs (Sect. 2.1). Therefore, it is paramount that nobody needs to trust these logs once incremental deployments mature further.

CT is formalized and cryptographically verifiable [17], supporting inclusion and consistency proofs. This means that a client can verify whether a log is operated correctly: said certificates are included in the log, and nothing is being removed or modified. Despite the ability to cryptographically verify these two properties, there are no assurances that everybody observes the same log [11, 31]. For example, certificate mis-issuance would not be detected by a domain owner that monitors the logs if fraudulently issued certificates are shown to the clients selectively. A log that serves different versions of itself presents a split view [35]. Unless such log misbehaviour can be detected we must trust it not to happen.

The solution to the split viewing problem is a gossip mechanism which ensures that everybody observes the same consistent log [31]. This assumption is simple in theory but remarkably hard in practice due to client privacy, varying threat models, and deployment challenges [35, 42]. While Google started on a package that supports minimal gossip [18] and the mechanisms of Nordberg et al. [35], there is “next to no deployment in the wild” [22]. To this end we propose a gossip mechanism that helps detecting split-view attacks retroactively based on the idea of packet processors such as routers and middleboxes that aggregate Signed Tree Heads (STHs)—succinct representations of the logs’ states—that are exposed to the network in plaintext. The aggregated STHs are then used to challenge the logs to prove consistency via an off-path, such that the logs cannot distinguish between challenges that come from different aggregators. Given this indistinguishability assumption it is non-trivial to serve a consistent split-view to an unknown location [23]. Thus, all aggregators must be on the same view, and accordingly all clients that are covered by these aggregators must also be on the same view despite not doing any explicit gossip themselves because gossip is provided as-a-service by the network. An isolated client (i.e., untrusted network path to the aggregator) is notably beyond reach of any retroactive gossip [42].

The premise of having STHs in plaintext is controversial given current trends to encrypt transport protocols, which is otherwise an approach that combats inspection of network traffic and protocol ossification [20, 27]. We argue that keeping gossip related material in plaintext to support aggregation-based gossip comes with few downsides though: it is easy to implement, there are no major negative privacy impacts, and it would offer significant protection for a large portion of the Internet with a realistic threat model despite relatively small deployment efforts. The three main limitations are no protection against isolated clients, reliance on clients that fetch STHs from the logs in plaintext, and possible concerns surrounding protocol ossification [27]. Our contributions are as follows.

  • Design and security considerations for a network-based gossip mechanism that passively aggregates STHs to verify log consistency off-path (Sect. 3).

  • Generic implementations of the aggregation step using P4 [6] and XDP [26] for plaintext STHs, supporting line-speed packet processing on systems that range from switches, routers, network interface cards, and Linux (Sect. 4).

  • A simulation based on RIPE Atlas measurements that evaluate the impact of deploying aggregation-based gossip at ASes and IXPs. Our evaluation shows that incremental roll-out at well-connected locations would protect a significant portion of all Internet clients from undetected split views (Sect. 5).

Besides the sections referenced above the paper first introduces necessary background (Sect. 2) and finally provides discussion and conclusions (Sect. 68). Appendices 0.A0.B provide further implementation and public data set details.

2 Background

First additional prerequisites are provided on CT and the status quo, then the techniques which allow us to program custom packet processors are introduced.

2.1 Certificate Transparency

The main motivation of CT is that the CA ecosystem is error-prone [29]: a CA can normally issue certificates for any domain name, and given that there are hundreds of trusted CAs an attacker only needs to target the weakest link [19]. While the requirement of CT logging all certificates cannot prevent mis-issuance proactively, it allows anyone to detect it retroactively by monitoring the logs [31]. After a log promises to include a certificate by issuing a Signed Certificate Timestamp (SCT), a new STH including the appended certificate must be issued within a Maximum Merge Delay (MMD). Typically, logs use 24 hour MMDs. Should non-included SCTs and/or inconsistent STHs be found, binding evidence of log misbehaviour exists because these statements are digitally signed. Other than MMD a log’s policy defines parameters such as STH frequency: the number of STHs that can be issued during an MMD, making it harder to track clients [35].

CT is being deployed across Apple’s platform [1] and Google’s Chrome [36]. The status quo is to trust a CA-signed certificate if it is accompanied by two or more SCTs, thereby relying on at least one log to append each certificate so that mis-issuance can be detected by monitors that inspect the logs. The next step of this incremental deployment is to verify that these certificates are actually logged by querying for inclusion [41], and that the log’s append-only property is respected by challenging the log to prove STH consistency. Finally, to fully distrust CT logs we need mechanisms that detect split-views. One such mechanism which is based on programmable packet processors (introduced next) is presented in Sect. 3, and it is compared to related work on CT gossip in Sect. 6.

2.2 Programmable Data Planes

Packet processors such as switches, routers, and network interface cards are typically integrated tightly using customized hardware and application-specific integrated circuits. This inflexible design limits the potential for innovation and leads to long product upgrade cycles, where it takes years to introduce new processing capabilities and support for different protocols and header fields (mostly following lengthy standardization cycles). The recent shift towards flexible match+action packet-processing pipelines—including RMT [7], Intel Flexpipe111 (n.d.) , Cavium XPA222 (n.d.) , and Barefoot Tofino333 (n.d.) —now have the potential to change the way in which packet processing hardware is implemented: it enables programmability using high-level languages such as P4 (see below), while at the same time maintaining performance comparable to fixed-function chips.

2.2.1 P4.

The main goal of P4 is to simplify [1.2pt]p rogramming of [1.2pt]p rotocol-independent [1.2pt]p acket [1.2pt]p rocessors by providing an abstract programming model for the network data plane [6]. In this setting the functionality of a packet processing device is specified without assuming any hardwired protocols and headers. Consequently, a P4 program must parse headers and connect the values of those protocol fields to the actions that should be executed based on a pipeline of reconfigurable match+action tables. Based on the specified P4 code, a front-end compiler generates a high-level intermediate representation that a back-end compiler uses to create a target-dependent program representation. Compilers are available for several platforms, including the software-based simple switch architecture444 (2018) , SDNet for Xilinx NetFPGA boards [9], and Netronome’s smart network interfaces [38]. It is also possible to compile basic P4 programs into eBPF byte code.555 (2018)

2.2.2 Xdp.

The Berkeley Packet Filter (BPF) is a Linux-based packet filtering mechanism [33]. Verified bytecode is injected from user space, and executed for each received packet in kernel space by a just-in-time compiler. Extended BPF (eBPF) enhances the original BPF concept, enabling faster runtime and many new features.666 (2017) For example, an eBPF program can be attached to the Linux traffic control tool tc, and additional hooks were defined for a faster eXpress Data Path (XDP) [26]. In contrast to the Intel Data Plane Development Kit (DPDK) which runs in user space and completely controls a given network interface that supports a DPDK driver,777 (n.d.) XDP cooperates with the Linux stack to achieve fast, programmable, and reconfigurable packet processing using C-like programs.

3 Design

An overview of aggregation-based gossip is shown in Fig. 1. The setting consists of logs that send plaintext STHs to clients over a network, and as part of the network inline packet processors passively aggregate observed STHs to their own off-path challengers which challenge the logs to prove consistency. A log cannot present split views to different clients that share an aggregating vantage point because it would trivially be detected by that vantage point’s challenger. A log also cannot present a persistent split view to different challengers because they are off-path in the sense that they are indistinguishable from one another. This means that every client that is covered by an aggregator must be on the same view because at least one challenger will otherwise detect an inconsistency and report it. A client that is not directly covered by an aggregator may receive indirect protection in the form of herd immunity. This is discussed in Sect. 7.4.

Figure 1: Packet processor that aggregates plaintext STHs for off-path verification.

3.1 Threat Model and Security Notion

The overarching threat is undetectable domain impersonation (ex-post) by an attacker that is capable of compromising at least one CA and a sufficient number of CT logs to convince a client into accepting a forged certificate. We assume that any illegitimately issued certificate would be detected by the legitimate domain owner through self or delegated third-party monitoring. This means that an attacker must either provide a split view towards the victim or the monitoring entity. We also assume that clients query the logs for certificate inclusion based on STHs that it acquires from the logs via plaintext mechanisms that packet processors can observe, and that some other entities than challengers process STHs using the chosen off-paths (Sect 7.1). We do not account for the fact that CA compromises may be detected by other means, focusing solely on split views.

3.1.1 Limitations.

Our gossip mechanism is limited to STHs that packet processors can observe. As such, a client isolated by an attacker is not protected. We limit ourselves to attackers that act over a network some distance (in the sense of network path length) from a client in plaintext so that aggregation can take place. Our limitations and assumptions are further discussed in Sect. 7.1.

3.1.2 Attackers.

Exceptionally powerful attackers can isolate clients, but clients are not necessarily easy to isolate for a significant number of relevant attackers. Isolation may require physical control over a device,888See FBI-Apple San Bernardino case: (2016) clients may be using anonymity networks like Tor where path selection is inherently unpredictable [16], or sufficiently large parts of the network cannot be controlled to ensure that no aggregation takes place. This may be the case if we consider a nation state actor attacking another nation state actor, the prevalence of edge security middleboxes, and that home routers or NICs nearby the clients could aggregate. Any attacker that cannot account for these considerations is within our threat model.

3.1.3 Security Notion.

To bypass our approach towards gossip an adaptive attacker may attempt to actively probe the network for aggregating packet processors. This leads us to the key security notion: aggregation indistinguishability. An attacker should not be able to determine if a packet processor is aggregating STHs. The importance of aggregation indistinguishability motivates the design of our gossip mechanism into two distinct components: aggregation that takes place inline at packet processors, and periodic off-path log challenging that checks whether the observed STHs are consistent (if not report the misbehaving log).

3.2 Packet Processor Aggregation

An aggregating packet-processor determines for each packet if it is STH-related. If so, the packet is cloned and sent to a challenging component for off-path verification (see Sect. 3.3). The exact definition of STH-related depends on the plaintext source, but it is ultimately the process of inspecting multiple packet headers such as transport protocol and port number. It should be noted that the original packet must not be dropped or modified. For example, an aggregator would have a trivial aggregation distinguisher if it dropped any malformed STH.

For each aggregating packet processor we have to take IP fragmentation into consideration. Recall that IP fragmentation usually occurs when a packet is larger than the MTU, splitting it into multiple smaller IP packets that are reassembled at the destination host. Normally an STH should not be fragmented because it is much smaller than the de-facto minimum MTU of (at least) 576 bytes [8, 14], but an attacker could use fragmentation to intentionally spread expected headers across multiple packets. Assuming stateless packet processing, an aggregator cannot identify such fragmented packets as STH-related because some header would be absent (cf. stateless firewalls). All tiny fragments should therefore be aggregated to account for intentional IP fragmentation, which appears to have little or no impact on normal traffic because tiny fragments are anomalies [40]. The threat of multi-path fragmentation is discussed in Sect. 7.1.

Large traffic loads must also be taken into account. If an aggregating packet processor degrades in performance as the portion of STH-related traffic increases, a distant attacker may probe for such behaviour to determine if a path contains an aggregator. Each implementation must therefore be evaluated individually for such behaviour, and if trivial aggregation distinguishers exist this needs to be solved. For example, STH-related traffic could be aggregated probabilistically to reduce the amount of work (Appendix 0.A.2). Another option is to load-balance the traffic before aggregation, i.e., avoid worst-case loads that cannot be handled.

3.3 Off-Path Log Challenging

A challenger is setup to listen for aggregated traffic, reassembling IP fragments and storing the aggregated STHs for periodic off-path verification. Periodic off-path verification means that the challenger challenges the log based on its own (off-path fetched) STHs and the observed (aggregated) STHs to verify log consistency periodically, e.g., every day. The definition of off-path is that the challenger must not be linkable to its aggregating packet processor(s) or any other challenger (including itself). Without an off-path there is no gossip step amongst aggregator-challenger instances that are operated by different actors, and our approach towards gossip would only assert that clients behind the same vantage point observe the same logs. If a log cannot distinguish between different challengers due to the use of off-paths, however, it is non-trivial to maintain a targeted split-view towards an unknown location. Therefore, we get a form of implicit gossip [23] because at least one challenger would detect an inconsistency unless everybody observes the same log. If every challenger observes the same log, so does every client that is covered by an aggregating packet processor. Notably the challenger component does not run inline to avoid timing distinguishers. Sect. 7.1 discusses aggregation distinguishers based on unique STH probes.

4 Implementation and Distinguishability Experiments

There are many different ways to implement the aggregation step. We decided to use P4 and XDP because a large variety of programmable packet processors support these languages (Sect 2.2). The aggregated plaintext source is assumed to be CT-over-DNS [30], which means that a client obtains STHs by fetching IN TXT resource records. Since languages for programmable packet processors are somewhat restricted, we facilitated packet processing by requiring that at most one STH is sent per UDP packet (Appendix 0.A.1). This is reasonable because logs should only have one most recent STH. A DNS STH is roughly 170 bytes without any packet headers and should normally not be fragmented, but to ensure that we do not miss any intentionally fragmented STHs we aggregate every tiny fragment. We did not implement the challenging component because it is relatively easy given an existing off-path. Should any scalability issue arise for the challenger there is nothing that prevents a distributed front-end that processes the aggregated material before storage. Storage is not an issue because there are only a limited amount of unique STHs per day and log (one new STH per hour is a common policy, and browsers recognize logs). Further details can be found on GitHub ( and in Appendix 0.A.

4.0.1 Setup.

We used a test-bed consisting of a traffic generator, a traffic receiver, and an aggregating target in between. The first target is a P4-enabled NetFPGA SUME board that runs an adapted version of our P4 reference implementation. The second target is a net-next kernel v4.17.0-rc6 Linux machine that runs XDP on one core with a 10 Gb SFP+ X520 82599ES Intel card, a  GHz Intel Core i7-4790 CPU, and 16 GB of RAM at 1600 MHz (Hynix/Hyundai). We would like to determine whether there are any aggregation distinguishers as the fraction of STHs (experiment 1) and tiny fragments (experiment 2) in the traffic is increased from 0–100%, i.e., does performance degrade as a function of STH-related rate? Non-fragmented STH packets are 411 bytes,999We used excessively large DNS headers to maximize the packet parsing overhead. and tiny fragments are 64 bytes. All background traffic have the same packet sizes but is not deemed STH-related.

4.0.2 Results.

Fig. (a)a shows throughput as a function of STH-related rate for the P4-enabled NetFPGA. While we were unable to observe any distinguisher between normal routing and the edge case of 100% aggregation for non-fragmented STH packets, there is a small constant throughput difference for tiny fragments ( Kbps). This is a non-negligible program distinguisher if a packet processor is physically isolated as in our benchmark, i.e., something other than a routing program is running but it is not necessarily an aggregator because performance does not degrade as a function of increased STH-related rate. However, we found such degradation behaviour for the single-core XDP case (Fig. (b)b). If line-speed is higher than 2 Gbps, traffic could be load-balanced to overcome this issue.

Figure 4: Throughput as a function of STH-related traffic that is aggregated.

4.0.3 Lessons learned.

Aggregation indistinguishability is provided by P4-NetFPGA. For XDP it depends on the scenario: what is the line-rate criteria and how many cores are available. Five cores support 10 Gbps aggregation indistinguishability.

5 Estimated Impact of Deployment

We conducted 20 daily traceroute measurements during spring 2018 on the RIPE Atlas platform to evaluate the effectiveness of aggregation-based gossip. The basic idea is to look at client coverage as central ASes and IXPs aggregate STHs. If any significant client coverage can be achieved, the likelihood of pulling off an undetected split-view will be small given aggregation indistinguishability.

5.0.1 Setup.

We scheduled RIPE Atlas measurements from roughly 3500 unique ASes that represent 40% of the IPv4 space, trace-routing Google’s authoritative CT-over-DNS server and NORDUnet’s CT log to simulate clients that fetch DNS STHs in plaintext (Appendix 0.B.1). Each traceroute result is a list of traversed IPs, and it can be translated into the corresponding ASes and IXPs using public data sets (Appendix 0.B.2). In other words, traversed ASes and IXPs can be determined for each probe. Since we are interested in client coverage as ASes and IXPs aggregate, each probe is weighted by the IPv4 space of its AS. While an IP address is an imperfect representation of a client, e.g., an IP may be unused or reused, it gives a decent idea of how significant it is to cover a given probe.

5.0.2 Results.

Fig. 5 shows AS/IXP path length and stability from the probes to the targets. If the AS path length is one, a single AS is traversed before reaching the target. It is evident that an AS path tends to be one hop longer towards NORDUnet than Google because there is a rough off-by-one offset on the x-axis. A similar trend of greater path length towards NORDUnet can be observed for IXPs. For example, 74.0% of all paths traversed no IXP towards Google, but 58.5% of all paths traversed a single IXP towards NORDUnet. These results can be explained by infrastructural differences of our targets: since Google is a worldwide actor an average path should be shorter than compared to a region-restricted actor like NORDUnet. We also observed that AS and IXP paths tend to be quite stable over 20 days (the duration of our measurements). In other words, if AS and are traversed it is unlikely to suddenly be routed via AS .

Figure 5: Path length and stability towards Google and NORDUnet.

Fig. 6 shows coverage of the RIPE Atlas network as actors aggregate STHs. For example, 100% and 50% coverage means that at least 40% and 20% of the full IPv4 space is covered. The aggregating ASes and IXPs were selected based on the most commonly traversed vantage points in our measurements (Pop), as well as CAIDA’s largest AS ranking.101010CAIDA ranks ASes based on collected topological data sets (Appendix 0.B.2). We found that more coverage is achieved when targeting NORDUnet than Google. This is expected given that the paths tend to be longer. Further, if CAIDA’s top-32 enabled aggregation the coverage would be significant towards Google (31.6%) and NORDUnet (58.1%).

Figure 6: Coverage as a function of aggregation opt-in.

5.0.3 Lessons learned.

A vast majority of all clients traverse at least one AS that could aggregate. It is relatively rare to traverse IXPs towards Google but not NORDUnet. We also learned that paths tends to be stable, which means that the time until split view detection would be at least 20 days if it is possible to find an unprotected client. This increases the importance of aggregation indistinguishability. Finally, we identified vantage points that are commonly traversed using Pop, and these vantage points are represented well by CAIDA’s independent AS ranking. Little opt-in from ASes and IXPs provides significant coverage against an attacker that is relatively close to a client (cf. world-wide infrastructure of Google). Although we got better coverage for NORDUnet, any weak attacker would approach Google’s coverage by renting infrastructure nearby. Any weak attacker could also circumvent IXP aggregation by detecting the IXP itself. As such, aggregating at top-ranked ASes should give the best split-view protection.

6 Related Work

Earlier approaches towards CT gossip are categorized as proactive or retroactive in Fig. 7. We consider an approach proactive if gossip takes place before SCTs and/or STHs reach the broader audience of clients. Syta et al. proposed proactive witness cosigning, in which an STH is collectively signed by a large number of witnesses and at most a fraction of those can be faulty to ensure that a benevolent witness observed an STH [42]. STH cross-logging [18, 24, 25] is similar in that an STH must be proactively disclosed in another transparency log to be trusted, avoiding any additional cosigning infrastructure at the cost of reducing the size and diversity of the witnessing group. Tomescu and Devadas [43] suggested a similar cross-logging scheme, but split-view detection is instead reduced to the difficulty of forking the Bitcoin blockchain (big-O cost of downloading all block headers as a TLS client). The final proactive approach is STH pushing, where a trusted third-party pushes the same verified STH history to a base of clients [41].



STH cross-logging [18, 24, 25, 43]

STH pushing [41]

STH cosigning [42]

Implicit via multipath [23]

STH pooling [11, 35]

Trusted auditing [35]

SCT feedback [35]

CT honey bee [3]
Figure 7: A categorization of approaches towards CT gossip.

We consider a gossip mechanism retroactive if gossip takes place after SCTs and/or STHs reach the broader audience of clients. Chuat et al. proposed that TLS clients and TLS servers be modified to pool exchanged STHs and relevant consistency proofs [11]. Nordberg et al. continued this line of work, suggesting privacy-preserving client-server pollination of fresh STHs [35]. Nordberg et al. also proposed that clients feedback SCTs and certificate chains on every server revisit, and that trusted auditor relationships could be engaged if privacy need not be protected. The latter is somewhat similar to the formalized client-monitor gossip of Chase and Meiklejohn [10], as well as the CT honey bee project where a client process fetches and submits STHs to a pre-compiled list of auditors [3]. Laurie suggested that a client can resolve privacy-sensitive SCTs to privacy-insensitive STHs via DNS (which are easier to gossip) [30]. Private information retrievals could likely achieve something similar [32]. Assuming that TLS clients are indistinguishable from one another, split-view detection could also be implicit as proposed by Gunn et al. for the verifiable key-value store CONIKS [23, 34].

Given that aggregation-based gossip takes place after an STH is issued, it is a retroactive approach. As such, we cannot protect an isolated client from split-views [42]. Similar to STH pooling and STH pollination, we rely on client-driven communication and an existing infrastructure of packet processors to aggregate. Our off-path verification is based on the same multi-path probing and indistinguishability assumptions as Gunn et al. [2, 23, 44]. Further, given that aggregation is application neutral and deployable on hosts, it could provide gossip for the CT honey bee project (assuming plaintext STHs) and any other transparency application like Trillian [21]. Another benefit when compared to browsing-centric and vendor-specific approaches is that a plethora of HTTPS clients are covered, ranging from niche web browsers to command line tools and embedded libraries that are vital to protect but yet lack the resources of major browser vendors [4, 15]. Our approach coexists well with witness cosigning and cross-logging due to different threat models, but not necessarily STH pushing if the secure channel is encrypted (no need to fetch what a trusted party provides).

7 Discussion

Below we discuss assumptions, limitations, and deployment, showing that our approach towards retroactive gossip can be deployed at scale to detect split-views by many relevant attackers with relatively little effort. The main drawback is reliance on clients fetching STHs in plaintext, e.g., using CT-over-DNS [30].

7.1 Assumptions and Limitations

Aggregation-based gossip is limited to network traffic that packet processors can observe. The strongest type of attacker in this setting—who can completely isolate a client—trivially defeats our gossip mechanism and other retroactive approaches in the literature (see Sect. 6). A weaker attacker cannot isolate a client, but is located nearby in a network path length sense. This limits the opportunity for packet processor aggregation, but an attacker cannot rule it out given aggregation indistinguishability. Sect. 4 showed based on performance that it is non-trivial to distinguish between (non-)aggregating packet processors on two different targets using P4 and XDP. Off-path challengers must also be indistinguishable from one another to achieve implicit gossip. While we suggested the use of anonymity networks like Tor, a prerequisite is that this is in and of itself not an aggregation distinguisher.111111Low-latency anonymity networks like Tor are susceptible to traffic confirmation and correlation attacks where the attacker observes traffic from the packet processor and is in control of the response from the CT logs. A strictly isolated packet processor may not be able to hide that it is challenging the logs (i.e., aggregation distinguisher). Therefore, we assume that other entities also use off-paths to fetch and verify STHs. The fact that a unique STH is not audited from an off-path could also be an aggregation distinguisher. To avoid this we could rely on a verifiable STH history121212 (2017) and wait until the next MMD to audit or simply monitor the full log so that consistency proofs are unnecessary.

The existence of multiple network paths are fundamental to the structure and functioning of the Internet. A weak attacker may use IP fragmentation such that each individual STH fragment is injected from a different location to make aggregation harder, approaching the capabilities of a stronger attacker that is located closer to the client. This is further exacerbated by the deployment of multi-path transport protocols like MPTCP (which can also be fragmented). Looking back at our RIPE Atlas measurements in Sect. 5, the results towards Google’s world-wide infrastructure better represent an active attacker that takes some measures to circumvent aggregation by approaching a client nearby the edge. Given that the likelihood of aggregation is high if any IXP is present (Fig. 6), aggregation at well-connected IXPs are most likely to be circumvented.

7.2 Deployment

Besides aggregating at strategic locations in the Internet’s backbone, ISPs and enterprise networks have the opportunity to protect all of their clients with relatively little effort. Deployment of special-purpose middleboxes are already prevalent in these environments, and then the inconvenience of fragmentation tends to go away due to features such as packet reassembly. Further, an attacker cannot trivially circumvent the edge of a network topology—especially not if aggregation takes place on an end-system: all fragments are needed to reassemble a packet, which means that multi-path fragmentation is no longer a threat. If aggregation-based gossip is deployed on an end-system, STHs could be hooked using other approaches than P4/XDP. For example, shim-layers that intercept TLS certificates higher up in the networking stack were already proposed by Bates et al. [5] and O’Neill et al. [37]. In this setting an end-system is viewed as the aggregating packet processor, and it reports back to an off-path challenger that may be a local process running on the same system or a remote entity, e.g., a TelCo could host challengers that collect aggregated STHs from smartphones.

While we looked at programming physical packet processors like routers, STH aggregation could be approached in hypervisors and software switches [39] to protect many virtual hosts. If CT-over-DNS is used to fetch STHs, it would be promising to output DNS server caches to implement the aggregation step. Similar to DNS servers, so called Tor exist relays also operate DNS caches. In other words, P4 and XDP are only examples of how to instantiate the aggregation step. Depending on the used plaintext source, packet processor, and network topology other approaches may be more suitable, e.g., C for vendor-specific middleboxes.

7.3 Retroactive Gossip Benefits From Plaintext

As opposed to an Internet core that only forwards IP packets, extra functionality is often embedded which causes complex processing dependencies and protocol ossification [27]. Many security and protocol issues were found for middleboxes that provides extra functionality [20, 28], resulting in the mindset that everything should be encrypted [28]. Our work is controversial because it goes against this mindset and advocates that STHs should be communicated in plaintext. We argue that this makes sense in the context of STHs due to the absence of privacy concerns and because the entire point of gossip is to make STHs available (rather than end-to-end only). The idea of intentionally exposing information to the network is not new, e.g., MPQUIC is designed to support traffic shaping [12].

While we used CT-over-DNS as a plaintext source, there is a push towards DNS-over-TLS131313 (2018) and DNS-over-HTTPS141414 (2018) . Wide use of these approaches could undermine our gossip mechanism, but ironically the security of TLS could be jeopardized unless gossip is deployed. In other words, long term gossip is an essential component of CT and other transparency logs to avoid becoming yet another class of trusted third-parties. If proactive approaches such as witness cosigning are rejected in favour of retroactive mechanisms, then ensuring that STHs are widely spread and easily accessible is vital. An STH needs no secrecy if the appropriate measures are taken to make it privacy-insensitive [35]. While secure channels also provide integrity and replay protection, an STH is already signed by logs and freshness is covered by MMDs as well as issue frequency to protect privacy. A valid argument against exposing any plaintext to the network is protocol ossification. We emphasize that our design motivates why packet processors should fail open: otherwise there is no aggregation indistinguishability.

7.4 Indistinguishability and Herd Immunity

An attacker that gains control over a CT log is bound to be more risk averse than an attacker that compromises a CA. There is an order of magnitude fewer logs than CAs, and client vendors are likely going to be exceptionally picky when it comes to accepted and rejected logs. We have already seen examples of this, including Google Chrome disqualifying logs that made mistakes: Izenpe used the same key for production and testing,151515!topic/ct-policy/qOorKuhL1vA (2016) and Venafi suffered from an unfortunate power outage.161616!topic/ct-policy/KMAcNT3asTQ (2017) Risk averse attackers combined with packet processors that are aggregation indistinguishable may lead to herd immunity: despite a significant fraction of clients that lack aggregators, indirect protection may be provided because the risk of eventual detection is unacceptable to many attackers. Hof and Carle [25] and Nordberg et al. [35] discussed herd immunity briefly before us.

8 Conclusion

Wide spread modifications of TLS clients are soon inevitable to support CT gossip. We proposed that these modifications include challenging the logs to prove certificate inclusion based on STHs fetched in plaintext, thereby enabling the traversed packet processors to assist in split view detection retroactively by aggregating STHs for periodic off-path verification. Beyond being an application neutral approach that is complementary to proactive gossip, a compelling aspect is that core packet processors are used (rather than clients) as a key building block to realize implicit gossip; should a consistency issue arise, it is already in the hands of an entity that is well equipped to investigate the cause manually. Considering that far from all TLS clients are backed by big browser vendors—not to mention other use-cases of transparency logs in general—it is likely a long-term win to avoid pushing complex retroactive gossip logic into all the different types of clients when there are orders of magnitudes fewer packet processors that could aggregate to their own off-path challengers. While taking the risk of ossification into account by suggesting that packet processors fail open to provide aggregation indistinguishability, our approach offers rapid incremental deployment with high impact on a significant fraction of Internet users.

8.0.1 Acknowledgments.

We would like to thank Stefan Alfredsson and Philipp Winter for their RIPE Atlas credits, as well as Jonas Karlsson and Ricardo Santos for helping with the NetFPGA setup. We also received funding from the HITS research profile which is funded by the Swedish Knowledge Foundation.


  • [1] Apple’s certificate transparency policy (2018),
  • [2] Alicherry, M., Keromytis, A.D.: DoubleCheck: Multi-path verification against man-in-the-middle attacks. In: ISCC (2009)
  • [3] Ayer, A.: Lightweight program that pollinates STHs between certificte transparency logs and auditors (2018),
  • [4] Backes, M., Bugiel, S., Derr, E.: Reliable third-party library detection in Android and its security applications. In: CCS (2016)
  • [5] Bates, A.M., Pletcher, J., Nichols, T., Hollembaek, B., Tian, D., Butler, K.R.B., Alkhelaifi, A.: Securing SSL certificate verification through dynamic linking. In: CCS (2014)
  • [6] Bosshart, P., Daly, D., Gibb, G., Izzard, M., McKeown, N., Rexford, J., Schlesinger, C., Talayco, D., Vahdat, A., Varghese, G., Walker, D.: P4: Programming protocol-independent packet processors. CCR 44(3) (2014)
  • [7] Bosshart, P., Gibb, G., Kim, H.S., Varghese, G., McKeown, N., Izzard, M., Mujica, F., Horowitz, M.: Forwarding metamorphosis: Fast programmable match-action processing in hardware for SDN. In: ACM SIGCOMM (2013)
  • [8] Braden, R.: Requirements for Internet hosts—communication layers. RFC 1122
  • [9] Brebner, G.: P4 for an FPGA target. In: P4 Workshop (2015),
  • [10] Chase, M., Meiklejohn, S.: Transparency overlays and applications. In: CCS (2016)
  • [11] Chuat, L., Szalachowski, P., Perrig, A., Laurie, B., Messeri, E.: Efficient gossip protocols for verifying the consistency of certificate logs. In: CNS (2015)
  • [12] Coninck, Q.D., Bonaventure, O.: Multipath QUIC: Design and evaluation. In: CoNEXT (2017)
  • [13] Dahlberg, R.: Aggregating Certificate Transparency Gossip Using Programmable Packet Processors. Master thesis, Karlstad University (2018)
  • [14] Deering, S., Hinden, R.: Internet protocol version 6 (IPv6) specification. RFC 8200
  • [15] Derr, E., Bugiel, S., Fahl, S., Acar, Y., Backes, M.: Keep me updated: An empirical study of third-party library updatability on Android. In: CCS (2017)
  • [16] Dingledine, R., Mathewson, N., Syverson, P.F.: Tor: The second-generation onion router. In: USENIX Security (2004)
  • [17] Dowling, B., Günther, F., Herath, U., Stebila, D.: Secure logging schemes and certificate transparency. In: ESORICS (2016)
  • [18] Drysdale, D.: Minimal gossip (2018),
  • [19] Durumeric, Z., Kasten, J., Bailey, M., Halderman, J.A.: Analysis of the HTTPS certificate ecosystem. In: ICM (2013)
  • [20] Durumeric, Z., Ma, Z., Springall, D., Barnes, R., Sullivan, N., Bursztein, E., Bailey, M., Halderman, J.A., Paxson, V.: The security impact of HTTPS interception. In: NDSS (2017)
  • [21] Eijdenberg, A., Laurie, B., Cutter, A.: Verifiable data structures (2015),
  • [22] Gasser, O., Hof, B., Helm, M., Korczynski, M., Holz, R., Carle, G.: In log we trust: Revealing poor security practices with certificate transparency logs and Internet measurements. In: PAM (2018)
  • [23] Gunn, L.J., Allison, A., Abbott, D.: Safety in numbers: Anonymization makes keyservers trustworthy. In: HotPETs (2017)
  • [24] Hof, B.: STH cross logging. Internet-draft draft-hof-trans-cross-00 (2017)
  • [25] Hof, B., Carle, G.: Software distribution transparency and auditability. CoRR abs/1711.07278 (2017)
  • [26] Høiland-Jørgensen, T., Brouer, J.D., Borkmann, D., Fastabend, J., Herbert, T., Ahern, D., Miller, D.: The express data path: Fast programmable packet processing in the operating system kernel. In: CoNEXT (2018)
  • [27] Honda, M., Nishida, Y., Raiciu, C., Greenhalgh, A., Handley, M., Tokuda, H.: Is it still possible to extend TCP? In: ICM (2011)
  • [28] Langley et. al: The QUIC transport protocol: Design and Internet-scale deployment. In: SIGCOMM (2017)
  • [29] Laurie, B.: Certificate transparency. ACM Queue 12(8) (2014)
  • [30] Laurie, B.: Certificate transparency over DNS (2016),
  • [31] Laurie, B., Langley, A., Kasper, E.: Certificate transparency. RFC 6962 (2013)
  • [32] Lueks, W., Goldberg, I.: Sublinear scaling for multi-client private information retrieval. In: FC (2015)
  • [33] McCanne, S., Jacobson, V.: The BSD packet filter: A new architecture for user-level packet capture. In: Usenix Winter Technical Conference (1993)
  • [34] Melara, M.S., Blankstein, A., Bonneau, J., Felten, E.W., Freedman, M.J.: CONIKS: Bringing key transparency to end users. In: USENIX Security (2015)
  • [35] Nordberg, L., Gillmor, D.K., Ritter, T.: Gossiping in CT. Internet-draft draft-ietf-trans-gossip-05 (2017)
  • [36] O’Brien, D.: Certificate transparency enforcement in Google Chrome (2018),!msg/ct-policy/wHILiYf31DE/iMFmpMEkAQAJ
  • [37] O’Neill, M., Heidbrink, S., Ruoti, S., Whitehead, J., Bunker, D., Dickinson, L., Hendershot, T., Reynolds, J., Seamons, K.E., Zappala, D.: TrustBase: An architecture to repair and strengthen certificate-based authentication. In: USENIX Security (2017)
  • [38] Netronome Systems Inc.: Programming NFP with P4 and C. White paper,
  • [39] Shahbaz, M., Choi, S., Pfaff, B., Kim, C., Feamster, N., McKeown, N., Rexford, J.: PISCES: a programmable, protocol-independent software switch. In: ACM SIGCOMM (2016)
  • [40] Shannon, C., Moore, D., Claffy, K.C.: Beyond folklore: Observations on fragmented traffic. IEEE/ACM Trans. Netw. 10(6) (2002)
  • [41] Sleevi, R., Messeri, E.: Certificate transparency in Chrome: Monitoring CT logs consistency (2017),
  • [42] Syta, E., Tamas, I., Visher, D., Wolinsky, D.I., Jovanovic, P., Gasser, L., Gailly, N., Khoffi, I., Ford, B.: Keeping authorities “honest or bust” with decentralized witness cosigning. In: IEEE SP (2016)
  • [43] Tomescu, A., Devadas, S.: Catena: Efficient non-equivocation via Bitcoin. In: IEEE SP (2017)
  • [44] Wendlandt, D., Andersen, D.G., Perrig, A.: Perspectives: Improving SSH-style host authentication with multi-path probing. In: USENIX ATC (2008)

Appendix 0.A Implementation

Below implementation details are provided for CT-over-DNS as the aggregated plaintext source. However, most of the discussion is not only relevant for DNS.

0.a.1 Plaintext Source

Aggregation-based gossip relies on a plaintext source that packet processors can observe. The most applicable mechanism today is CT-over-DNS, which is hosted by Google for all Chrome-included logs. According to the draft by Laurie [30], a DNS STH response is an IN TXT resource record where the query domain is sth.<log> We further restrict the format such that a response must be transported by UDP and contain (i) a single query, (ii) a single response, and (iii) no more than a threshold of bytes. It is hard to process a TCP data stream because it may span multiple IP packets.171717 (2017) At best, it is also hard to parse variable-length and human-readable protocols such as HTTP.181818 (2017) From a general standpoint, this means that neither TLS nor OCSP are particularly prominent sources to aggregate despite STHs being transferred in plaintext [13].

0.a.2 Proof-of-Concept

Figure 8 gives an overview of the headers that must be declared, parsed, and inspected to aggregate DNS STHs. It is relatively easy to extract headers down to DNS, after which the processing must continue in multiple stages: extract a fixed-width preamble that contains the number of questions (qd) and answers (an), loop to extract the query domain name, and finally extract the fixed remainder of the query (type and class). It is not possible to parse an arbitrary number of questions and answers in P4/XDP because loops must be constantly bound. This motivates the somewhat restricted CT-over-DNS format in Appendix 0.A.1.







domain name

query type

query class








known log




Figure 8: Criteria to aggregate an incoming packet pkt_in.

If all conditions in Figure 8 hold for a packet, it is cloned in addition to normal routing using an existing P4-action or by control-plane copying via XDP’s ring-buffer191919 (2018) . Note that small IP fragments which are less than a threshold are also marked for cloning, accounting for attackers that intentionally fragment IP packets to bypass aggregation. Finally, our proof-of-concepts support simple probabilistic filtering by cloning every match for a security parameter .

0.a.3 Caveats

0.a.3.1 Aggregation indistinguishability.

Our packet processing is designed to avoid trivial aggregation distinguishers, such as dropping tiny fragments proactively because they are more cumbersome to validate (e.g., it requires reassembly). Accordingly, it is paramount that developers ensure that malformed packets are not dropped on parser exceptions and that STH-related traffic remains unmodified by failing open. Given that typical programs often operate on lower-layer headers, this is particularly important while processing UDP and DNS headers.

0.a.3.2 IP fragments and options.

To minimize data collection an IP fragment should only be aggregated if it is less than a threshold. Therefore, a log client must reject STH packets that are too large. At the time of writing a typical DNS STH is encoded as 170 bytes, and a 400 byte threshold would presumably be large enough to account for IP options, large domain names, and STH extensions (should they exists in the future). The privacy impact of aggregating small fragments appears to have little or no impact on legitimate traffic [40],202020 (2006) which is reasonable given that the de-facto minimum MTU has been at least 576 bytes for decades [8, 14]. In other words, small fragments are anomalies rather than expected behaviour. Under normal circumstances and a sound STH frequency for privacy, we expect around 24 unique STHs per day and log to be aggregated.

Appendix 0.B Data Sets

Our traceroute data set is publicly available and described in Appendix 0.B.1. The role of other public data sets used in our analysis are explained in Appendix 0.B.2.

0.b.1 RIPE Atlas Traceroute Measurements

Our traceroute measurements can be downloaded from the RIPE Atlas platform. Identifiers: 11603880–11603884, 11784033–11784042, and 11826645–11826649.

0.b.1.1 Probe selection.

The goal of our probe selection process was to maximize the number of unique ASes (which will represent blocks of IP addresses that we can evaluate coverage for). The scope of our search was reduced to IPv4 because many probes support it, and for redundancy the two most stable probes in each unique AS were selected. We based the stable criteria on the RIPE Atlas tag system-ipv4-stable-n, such that a probe got the highest priority if  days. While many ASes had too few probes to support redundancy, we ended up requesting 4604 probes. After removing the redundant probes that delivered the fewest amount of traceroute results, there were little or no failures amongst the remaining 3512 (Google) and 3488 (NORDUnet) probes: around 100 probes failed at least once, and among those 24 as well as 17 probes (respectively) failed more than once. This means that the reliability of RIPE Atlas platform is high, and thus it is unnecessary to account for failures while analyzing our results.

0.b.1.2 Duration and measurement settings.

For all probes we scheduled a daily traceroute towards Google and NORDUnet. Our measurements towards Google started on March 10 2018 and ended on March 30 2018. On March 20 we started another measurement towards NORDUnet that ended on April 9 2018. We used the RIPE Atlas default traceroute settings: ICMP port 80 with default spread and Paris traceroute enabled212121 (n.d.) (value 16). The response timeout was set to 4000 ms for three 48 byte packets and 32 max hops. We also hard-coded the targeted IP addresses because not all probes support DNS lookups. To verify that the mapping from domain name to IP address remained the same for Google’s authoritative CT-over-DNS server, we conducted a daily santiy-check222222RIPE Atlas measurement identifiers: 11603871 and 11793938. from 128 worldwide probes that resolved on the probes. An employee at SUNET verified that would remain stable throughout the course of our experiments.

0.b.2 Public Data Sets

The traceroute data set in Appendix 0.B.1 contains lists of IP addresses. Since we are interested in the actors that control the corresponding packet processors, i.e., which actors are on a given path, we mapped each IP address to an AS number and/or IXP identifier using public data sets from Routeviews232323The Routeviews MRT format RIBs and UPDATEs Dataset, 2018-03-12 14:00, and CAIDA242424The CAIDA UCSD IXPs Dataset, February 2018, . We also relied on RIPE Atlas probe metadata to map probes to AS numbers,252525!/probes/probe_list_get, accessed REST API 2018-04-06 CAIDA’s largest AS rank to select globally influential ASes as aggregators,262626, accessed REST API 2018-04-06

and Routeviews’ data set to annotate each probe with the IPv4 space of its AS.