A few questions regarding SmartScreen for Certificates as an alternative to Certificate Transparency.

Microsoft recently announced that they will begin applying their SmartScreen technology to detect fraudulent digital certificates:

Although Microsoft claims there is room for both, and I agree, there is definitely something in their claims about the privacy properties of SmartScreen for Certificates that seems critically aimed in the direction of CT.  Without a doubt, the SmartScreen announcement it is serving as ammunition for members of the Certificate Authority community who don’t want to do the work required for CT.  

I think it SmartScreen for Certificates an unabashed good thing – but only if it is not seen as a replacement for or a way to derail CT.  To illustrate that, I want to raise a few questions and issues about how well a technology like SmartScreen can really protect the certificate ecosystem.

1) Partitioning.  SmartScreen is a great choice for phishing or downloads of mass malware.  The adversary there is assumed to simply be a remote server the victim has been directed to and not in a position to block the victim’s access to the SmartScreen service.  This is not the case for many adversarial situations involving certificates.  Often the adversary may be a “Dolev-Yao” attacker, able to completely partition the victim and prevent access to SmartScreen services.  The Iranian victims of the DigiNotar incident were in this situation.

2) Sensitivity.  The nature of the analytics that are possible behaviorally means that it will be difficult to detect attacks that are either highly-targeted or completely ubiquitous.

3) Opt-Out.  Many organizations opt-out of providing data back to Microsoft.  The more security-sensitive the organization, the more likely it is to do so, but also the more likely it is to be a target of attack. SmartScreen is blind to targeted attacks against these organizations.

4) Non-Browser Applications.  The SmartScreen model relies on prompting the user that a potentially malicious download or connection has been blocked.  The “Web” PKI is used for much more than the web, however.  It’s not clear that there are good ways to apply the fuzzy metrics derived from SmartScreen to non-interactive services, or even semi-interactive ones like email.

5) Coerced Issuance.  Stopping this threat may not be Microsoft’s concern, but it is a concern of many.  If an agency like the NSA is able to legally coerce a CA in its jurisdiction to issue a fraudulent certificate, it may equally be able to coerce Microsoft to fail to report it as such.
Shared publiclyView activity