SlideShare a Scribd company logo

Balancing Customer Privacy with Transparency

Download as PPTX, PDF
P
pzb

This document discusses balancing customer privacy with transparency in certificate transparency. It outlines how certificate transparency logs publicly disclose certificate information. It also describes client support for certificate transparency and options under consideration to protect privacy, such as using wildcards or name constrained certificates. The document notes various use cases where privacy is important, such as binding domain names to entities or protecting personally identifiable information. It discusses technical implementations for DNS privacy like private DNS subtrees or split horizon DNS.

Technology
1 of 8
Download to read offline
1
2
3
4
5
6
7
8
Balancing Customer Privacy with Transparency
Certificate Transparency: RFC 6962 The CT log (public database) contains either a copy of the full certificate or a “pre-certificate” which contains all the elements of the certificate except embedded CT information.
Client support • Mozilla Firefox – 2017 • Apple – iOS 10 and macOS Sierra allows applications to require CT • Chrome – EV since 2015, all new certs starting Oct 2017 • OpenSSL 1.0.2 (no validation, just parsing) Mozilla and Apple have not yet published information on which logs they trust or policy on accepting logs
Information Disclosure • Fully Qualified Domain Names • secret.projects.example.com • Subject Attributes • Individual names • Addresses • Company affiliation • Association with CA • Corporate CA issuing any kind of certificate for a domain may be informative (metadata FTW)
RFC 6962-bis (bis is French for again or encore) Calls out two options for privacy 1. Use wildcards (allows privacy for left most label) 2. Use Name Constrained subordinate CAs Separate Draft proposes a third option 3. Pre-certificates with some subject information omitted Choosing a certificate profile with less subject information is also an option.
Use cases for privacy • Binding of domain name to corporate entity (domain name uses proxy registration) • PII in certain certificate types (Qualified?) • Overly descriptive labels in FQDNs (provides a blueprint of network topology) • Disclosure of confidential projects (e.g. newthing.example.com or fordacquisition.gm.com) – may become public at a future point
Technical Implementations of DNS Privacy • Private DNS subtree (e.g. corp.example.com subtree is permanently private) • Split Horizon DNS (e.g. two copies of the DNS zone) • DNSSEC added NSEC3 to avoid disclosure of record names to address similar concerns
IETF Public Notary Transparency (“trans”) WG https://datatracker.ietf.org/wg/trans/charter/ https://www.ietf.org/mailman/listinfo/trans

More Related Content

PDF
Red Office Documents Security Proposal
Zhi Guan
 
PPTX
Andres
KATEKO1208
 
PDF
02 - Blockchain Technology - Blockchain Security
ITROOS
 
PDF
01 - Blockchain technology - Basics
ITROOS
 
PPT
Ch32
bitistu
 
PDF
Magento 2 Seminar - Andra Lungu - API in Magento 2
Yireo
 
PDF
HTTP OW 3000 mVt(3Vt) zelenaya lazernaya ukazka vodozashchishchennaya portati...
HTPOWLASER.RU
 
PPTX
Plan anual de trabajo
telesecundaria0422q
 
Red Office Documents Security Proposal
Zhi Guan
 
Andres
KATEKO1208
 
02 - Blockchain Technology - Blockchain Security
ITROOS
 
01 - Blockchain technology - Basics
ITROOS
 
Ch32
bitistu
 
Magento 2 Seminar - Andra Lungu - API in Magento 2
Yireo
 
HTTP OW 3000 mVt(3Vt) zelenaya lazernaya ukazka vodozashchishchennaya portati...
HTPOWLASER.RU
 
Plan anual de trabajo
telesecundaria0422q
 

Viewers also liked (11)

DOCX
Fall 2016 State of the Arts NYC Newsletter
West Harlem Art Fund
 
PPTX
spring bed double
bagus springbed
 
PPTX
Flyinbuy español jose luis jimenez moreno
Jose-Luis Jimenez-Moreno
 
PPTX
Sistema endocrino
Miriam Sotelo
 
PPTX
Gasto cardiaco
Miriam Sotelo
 
PPTX
Feminicidio
scarleth_12
 
PPTX
Circulación
Miriam Sotelo
 
DOCX
AFINTINNI's R.resume
Tobi Davids. A
 
PPT
La Isla de los Caimanes
tifgarcia
 
PDF
Colores de la carta
Scratsh Sama
 
PPT
Exposicion planetas de ondas circulares
wilmersabalatorrealba
 
Fall 2016 State of the Arts NYC Newsletter
West Harlem Art Fund
 
spring bed double
bagus springbed
 
Flyinbuy español jose luis jimenez moreno
Jose-Luis Jimenez-Moreno
 
Sistema endocrino
Miriam Sotelo
 
Gasto cardiaco
Miriam Sotelo
 
Feminicidio
scarleth_12
 
Circulación
Miriam Sotelo
 
AFINTINNI's R.resume
Tobi Davids. A
 
La Isla de los Caimanes
tifgarcia
 
Colores de la carta
Scratsh Sama
 
Exposicion planetas de ondas circulares
wilmersabalatorrealba
 
Ad

Similar to Balancing Customer Privacy with Transparency (20)

PPTX
CryptoStandards and protocols for digital secure communications
bipinbhattarai12
 
PPT
E-mail Security in Network Security NS5
koolkampus
 
PPT
ITE v5.0 - Chapter 6
Irsandi Hasan
 
PPTX
Ccna v5-S1-Chapter 10
Hamza Malik
 
PPTX
9. Application Layer9. Application Layer.pptx
FutureTechnologies3
 
PPTX
Parallel and distributed computing .pptx
AmnaNadeem27
 
PPTX
Chapter 10 : Application layer
teknetir
 
PDF
CCNAv5 - S1: Chapter 10 Application Layer
Vuz Dở Hơi
 
PDF
Network security cs9 10
Infinity Tech Solutions
 
PPT
unit6.ppt
Srinivas Devulapalli
 
PDF
CNS - Unit v
ArthyR3
 
PDF
Oci meetup v1
RaphaelCampelo
 
PDF
Oracle Cloud Infraestructure Update
RaphaelCampelo
 
PDF
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
Mike Schwartz
 
PPTX
Lecture Notes- Network Services - Copy.pptx
SaqibAhmedKhan4
 
PPTX
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
Positive Hack Days
 
PDF
Lec 8.pptx.pdf
ssuserbab2f4
 
PDF
Storage Made Easy - File Fabric Use Cases
Hybrid Cloud
 
PPT
The Application Layer is the topmost layer of the OSI (Open Systems Interconn...
FawadKhanFacultyEEDB
 
PDF
aMS Aachen -Personal and confidential data - how to manage them in M365 2022-...
Sébastien Paulet
 
CryptoStandards and protocols for digital secure communications
bipinbhattarai12
 
E-mail Security in Network Security NS5
koolkampus
 
ITE v5.0 - Chapter 6
Irsandi Hasan
 
Ccna v5-S1-Chapter 10
Hamza Malik
 
9. Application Layer9. Application Layer.pptx
FutureTechnologies3
 
Parallel and distributed computing .pptx
AmnaNadeem27
 
Chapter 10 : Application layer
teknetir
 
CCNAv5 - S1: Chapter 10 Application Layer
Vuz Dở Hơi
 
Network security cs9 10
Infinity Tech Solutions
 
unit6.ppt
Srinivas Devulapalli
 
CNS - Unit v
ArthyR3
 
Oci meetup v1
RaphaelCampelo
 
Oracle Cloud Infraestructure Update
RaphaelCampelo
 
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
Mike Schwartz
 
Lecture Notes- Network Services - Copy.pptx
SaqibAhmedKhan4
 
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
Positive Hack Days
 
Lec 8.pptx.pdf
ssuserbab2f4
 
Storage Made Easy - File Fabric Use Cases
Hybrid Cloud
 
The Application Layer is the topmost layer of the OSI (Open Systems Interconn...
FawadKhanFacultyEEDB
 
aMS Aachen -Personal and confidential data - how to manage them in M365 2022-...
Sébastien Paulet
 
Ad

Recently uploaded (20)

PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Teaching material agriculture food technology
LiaRayya
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Approach and Philosophy of On baking technology
30anthuong17
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
KodekX | Application Modernization Development
KodekX
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 

Balancing Customer Privacy with Transparency

  • 2. Certificate Transparency: RFC 6962 The CT log (public database) contains either a copy of the full certificate or a “pre-certificate” which contains all the elements of the certificate except embedded CT information.
  • 3. Client support • Mozilla Firefox – 2017 • Apple – iOS 10 and macOS Sierra allows applications to require CT • Chrome – EV since 2015, all new certs starting Oct 2017 • OpenSSL 1.0.2 (no validation, just parsing) Mozilla and Apple have not yet published information on which logs they trust or policy on accepting logs
  • 4. Information Disclosure • Fully Qualified Domain Names • secret.projects.example.com • Subject Attributes • Individual names • Addresses • Company affiliation • Association with CA • Corporate CA issuing any kind of certificate for a domain may be informative (metadata FTW)
  • 5. RFC 6962-bis (bis is French for again or encore) Calls out two options for privacy 1. Use wildcards (allows privacy for left most label) 2. Use Name Constrained subordinate CAs Separate Draft proposes a third option 3. Pre-certificates with some subject information omitted Choosing a certificate profile with less subject information is also an option.
  • 6. Use cases for privacy • Binding of domain name to corporate entity (domain name uses proxy registration) • PII in certain certificate types (Qualified?) • Overly descriptive labels in FQDNs (provides a blueprint of network topology) • Disclosure of confidential projects (e.g. newthing.example.com or fordacquisition.gm.com) – may become public at a future point
  • 7. Technical Implementations of DNS Privacy • Private DNS subtree (e.g. corp.example.com subtree is permanently private) • Split Horizon DNS (e.g. two copies of the DNS zone) • DNSSEC added NSEC3 to avoid disclosure of record names to address similar concerns
  • 8. IETF Public Notary Transparency (“trans”) WG https://datatracker.ietf.org/wg/trans/charter/ https://www.ietf.org/mailman/listinfo/trans