As you are probably aware I am one of those people who don’t like their private data to be absorbed, analyzed and sold, so I am hosting most of the services I use over the network myself. Over the years, my Nextcloud instance has become the central instance for this as I host files I exchange there as well as my calendars and my address books. Also, I use it as a platform for private voice and video communication.
This is a great thing and the main threat vectors that remain are that my instance is hacked from the outside with a zero day exploit or someone gets to the data I have stored there with a https man-in-the-middle attack. Both require signification dedication, effort and resources. When I think about it, I feel most vulnerable on the https front as I do not control which certificates are accepted by the various applications on the PC and by apps on my mobile devices that interact with my Nextcloud instance.
In the past, I’ve been using HTTPS Public Key Pinning (HPKP) to add an extra layer of protection. As the scheme hasn’t really caught on over the years, I’ve been thinking a lot lately about the value Certificate Transparency (CT) provides to me. Time for a quick summary.
The nice thing about HPKP Key Pinning is that in theory I am in full control of the certificate. If all applications I use with Nextcloud would check if the certificate provided by the web server is the same as was previously pinned and stored, an adversary getting a valid certificate without my knowledge and using it would immediately alert me, as client applications would refuse to use it and produce an error message.
Unfortunately, HPKP has not really caught-on at the client side, as most apps, including my app for calendar and address book synchronization don’t use HPKP. Also, when I last checked, Firefox Mobile did not permanently store the pinning information and its implementation was thus useless. In the meantime, Google has even announced that they will discontinue HPKP support in their browsers in the not too distant future (or have perhaps already done so).
So overall, HPKP was a great idea for my purpose but I stopped using it a few weeks ago when I started using Letsencrypt for my Nextcloud instance, as keeping the same certificate over frequent signature renewals is painful. I would have jumped through the hoops but since most of the apps that access my Nextcloud instance don’t check the HPKP header anyway, I came to the conclusion that wasn’t much of a point to keep up with it anyway.
So HPKP never really made it and was not loved by anyone, except me and a few others perhaps. In the meantime, Google, Mozilla and others came up with Certificate Transparency (CT). Again, unfortunately, I don’t have control over my certificates as they are not pinned down and checked automatically.
However, I can at least become aware when somebody has issued a certificate for my domain name to play tricks on me. This is because Google now requires certificates to be registered in at least two Certificate Transparency logs. If a certificate is not in at least two logs, Chrome refuses to proceed. This is nice as even if you have very deep pockets, its not possible anymore to get a certificate without log entries that is accepted by Chrome. And if they put a rouge certificate into the logs, I can find out about it later. Crt.sh, for example, lets anyone check things easily.
A lot of my apps probably won’t bother about CT either, but at least I will know if somebody has issued a certificate from my domain after the fact. So from that point of view it’s a bit better than HPKP, but unfortunately still not by much for my scenario.
The good news is that there are actually some apps I use in which I can manually pin my certificates: DavDroid I use for calendar and address book synchronization can be configured to distrust all certificates and when I change my certificate once every three months, I have to confirm the new certificate on my device before it synchronizes again. The same goes for ‘Converstations’, my XMPP client. The Nextcloud Notes App on Android also has an option to distrust system certificates but even when I activate it, it doesn’t ask me to confirm my certificate. So I’m not sure its really working there.
I would have loved to see HPKP become more popular and be implemented in non-browser apps as well, as no special settings would have been necessary on the client side. But at least I can pin certificates in applications that run in the background which would probably expose a man-in-the-middle attack before I open a browser and be more exposed. Still, it leaves too many loopholes and I hope this is not the end of the story.
P.S.: And in case you wonder how web browsers know that a certificate is stored in at least two logs: There are several options, but the easiest and fastest, used by Letsencrypt, for example, is to include proof as part of the signed certificate that is sent to the browser on connection establishment. Here’s the Certificate Transparency (CT) part of the current certificate that protects this blog:
CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1(0) Log ID : DB:74:AF:EE:CB:29:EC:B1:FE:CA:3E:71:6D:2C:E5:B9: AA:BB:36:F7:84:71:83:C7:5D:9D:4F:37:B6:1F:BF:64 Timestamp : Jun 8 20:19:37.877 2018 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:10:E1:02:4B:E5:86:E3:B6:F8:1E:05:1C: F6:A6:F7:F6:1A:9B:61:13:B5:C5:73:AC:67:A1:38:57: 6B:EB:9D:C7:02:20:74:98:C9:1A:14:7D:FE:3C:DF:BC: DB:E7:34:AD:C3:23:5A:15:CC:18:6D:9D:07:48:44:F1: 85:82:5E:5A:EB:1D Signed Certificate Timestamp: Version : v1(0) Log ID : 29:3C:51:96:54:C8:39:65:BA:AA:50:FC:58:07:D4:B7: 6F:BF:58:7A:29:72:DC:A4:C3:0C:F4:E5:45:47:F4:78 Timestamp : Jun 8 20:19:37.893 2018 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:AB:08:DD:D1:A6:B9:53:26:50:1C:43: BB:62:12:5F:B5:32:7F:C4:D3:F2:0E:1E:62:F0:89:97: DD:EC:21:7F:69:02:21:00:8A:09:D9:12:63:4C:14:03: BF:E9:D9:AF:BD:95:28:24:99:13:93:C1:A7:9B:8A:4F: 45:4B:3A:0D:E7:ED:3E:38
Note: Firefox doesn’t show this part yet when you take a closer look at the certificate, but you can export the certificate into a file and then dump the contents into this web page.