You're looking at Less Wrong's discussion board. This includes all posts, including those that haven't been promoted to the front page yet. For more information, see About Less Wrong.

Douglas_Knight comments on Open thread, Feb. 9 - Feb. 15, 2015 - Less Wrong Discussion

6 Post author: MrMind 09 February 2015 09:12AM

You are viewing a comment permalink. View the original post to see all comments and the full post content.

Article Navigation

Comments (321)
Tags: open_thread

Comments (321)

You are viewing a single comment's thread. Show more comments above.

Comment author: gwern 10 February 2015 07:20:37PM *  8 points [-]

That's both wasteful on bandwidth as everything is downloaded twice, and anything not public needs to be done manually with cookies.

But it's dead-simple and robust compared to some sort of in-browser extension which saves the rendered DOM in the background.

He also can't prove that they came from a site even if it used https.

I've never needed to prove that. My concern is usually having a copy at all, and the IA is trusted enough that it's a de facto proof.

But it's possible:

  1. find a download tool which will save the raw bit-level TCP/IP stream of packets when you download a page and save it to an appropriate format like a PCAP file (maybe Wireshark supports this or it could be hooked into something like wget?); this preserves the HTTPS encryption and allows proving that the content came signed with the domain's key (not that this means much), since the crypto can be checked to be valid and the stream replayed.
  2. This doesn't prove it came from the domain at a particular time, but you can get timestamping using a trusted timestamping service such as the Bitcoin blockchain: as soon as the PCP file is closed and the webpage downloaded, take the hash and send a satoshi to the equivalent Bitcoin address. Transaction fees mean that this might get expensive to do for each web page, but there are a lot of ways you could optimize this (such as batching up an entire day's worth of downloads into a single tarball archive, and timestamping that; big savings but also more granular timestamp; there are other schemes). Now you can prove the content came from someone with a particular HTTPS public key and that you downloaded it on or before a particular hour and date (roughly when the Bitcoin block with your transaction will be mined).

If anyone doubts you, they can take the relevant tarball, verify the hash and timestamp to when you say it was, then extract the relevant PCAP, verify the encryption, and then the displayed content.

Good luck.

Comment author: Douglas_Knight 12 February 2015 01:40:27AM 3 points [-]

Simply sniffing https packets is worthless. At most it tells you the length of the session. It's exactly the adversary that TLS is designed to foil. You need the session key to decrypt it, so, you need to hook into the TLS implementation.

Comment author: gwern 05 November 2015 01:01:01AM *  2 points [-]

It seems someone has done the TLS hooking: TLSNotary. Whitepaper:

‘TLSnotary’ allows a client to provide evidence to a third party auditor that certain web traffic occurred between himself and a server. The evidence is irrefutable as long as the auditor trusts the server’s public key. The remainder of this paper describes how TLSnotary allows the auditee to conduct an https session normally with a web server such that the auditor can verify some part of that session (e.g. a single HTML page), by temporarily withholding a small part of the secret data used to set up the https session. The auditee does not at any time reveal any of the session keys to the auditor or anyone else, nor does he render or decrypt any data without authentication. Thus the full security model of the TLS 1.0 session is maintained, modulo some reduction in the entropy of the secrets used to protect it. Notes to the reader: As of this writing, TLSnotary is only compatible with TLS 1.0 and 1.1, not TLS 1.2

...In summary, the purpose of this rather complex sequence of steps is: the auditor withholds some of the secret data from the auditee (acting as client), so that the auditee cannot fabricate traffic from the server (since at the time of making his request, he does not have the server mac write secret). Once the auditee has a made a commitment to the encrypted content of the server’s response to his request, the auditor can provide the auditee with the required secret data in order to construct the server mac write secret. Then, the auditee can safely complete the decryption and authentication steps of the TLS protocol, since at that point he has the full master secret. In this way, the auditee maintains the full TLS security model, although he was prevented from creating a fake version of the post-handshake traffic from the server - something he is always able to do if he has the full master secret in advance.

Seems it requires an active and online auditor server (which is far from ideal), but if someone were to run such a trusted auditor, then you get your HTTPS provability and can timestamp it as before.

Comment author: Douglas_Knight 05 November 2015 04:51:55PM 0 points [-]

I think that the people who wrote the code are running a server.

I am surprised that it is possible for a browser plug-in to hook so deeply into the browser to accomplish this.

Comment author: Baughn 13 February 2015 12:39:51AM *  1 point [-]

Or make your own CA, install that certificate in your browser and MITM the connection. Probably easier than changing your browser's code; can easily be done all on a single system.

Comment author: gwern 12 February 2015 02:28:02AM 0 points [-]

Knew I forgot something.

Powered by Reddit Powered by Reddit