Aggregating Certificate Transparency Gossip Using Programmable Packet Processors

Abstract: Certificate Transparency (CT) logs are append-only tamper-evident data structures that can be verified by anyone. For example, it is possible to challenge a log to prove certificate inclusion (membership) and log consistency (append-only, no tampering) based on partial information. While these properties can convince an entity that a certificate is logged and not suddenly removed in the future, there is no guarantee that anyone else observes the same consistent view. To solve this issue a few gossip protocols have been proposed, each with different quirks, benefits, assumptions, and goals. We explore CT gossip below the application layer, finding that packet processors such as switches, routers, and middleboxes can aggregate gossip passively or actively to achieve herd immunity: (in)direct protection against undetectable log misbehaviour. Throughout the thesis we describe, instantiate, and discuss passive aggregation of gossip messages for a restricted data plane programming language: P4. The concept of active aggregation is also introduced. We conclude that (i) aggregation is independent of higher-level transparency applications and infrastructures, (ii) it appears most prominent to aggregate Signed Tree Heads (STHs) in terms of privacy and scalability, and (iii) passive aggregation can be a long-term solution if the CT ecosystem adapts. In other words, not all sources of gossip must be encrypted to preserve privacy.