Closed milahu closed 7 months ago
because TLS itself does not provide data integrity
TLS does provide data integrity, but only between the Client and Server.
And yes, it's true that TLS does not provide non-repudiation.
TLSNotary modifies the client side of the connection using multi-party computation in order to provide the properties claimed on the website. The crux of how this works is in the 3-party key exchange. This provides data provenance/authenticity because the Client/Prover is not in possession of the Server MAC key.
By "fully trustless proofs" we are referring to having no trust assumption between the Prover and Verifier. There is still trust in the TLS certificate chain, ie the certificate authorities, as with any TLS connection.
By "fully trustless proofs" we are referring to having no trust assumption between the Prover and Verifier.
does "no trust assumption between the Prover and Verifier" mean that the verifier is forced to play a passive role? so the verifier cannot initiate requests?
so prover and verifier can still collude to create fake proofs (obviously) so we still need multiple verifiers (which can still collude...)
The crux of how this works is in the 3-party key exchange. This provides data provenance/authenticity because the Client/Prover is not in possession of the Server MAC key.
The Prover is not solely capable of constructing requests, nor can they forge responses from the Server.
so the verifier works like a man-in-the-middle between prover and server effectively breaking the "symmetric encryption with a shared key" property of TLS but from the TCP traffic flow, the prover is the man-in-the-middle between server and verifier
nice idea : ) but for my app (p2p web scraper) it will be better to use a https proxy or vpn server as a tunnel because a passive verifier-role would be too limiting for my app
Hi :wave:
does "no trust assumption between the Prover and Verifier" mean that the verifier is forced to play a passive role? so the verifier cannot initiate requests?
Yes, the verifier does not initiate any requests. No trust assumption means, that the verifier will verify the correctness of the encrypted TLS traffic, the certificate chain, as well as some application-specific assertions over parts of the plaintext, all by himself.
so prover and verifier can still collude to create fake proofs (obviously) so we still need multiple verifiers (which can still collude...)
What you refer to is probably this setup. In this setup there is the trust assumption that prover and notary do not collude. If you do not trust the credibility of a single notary you could indeed require multiple different notaries.
so the verifier works like a man-in-the-middle between prover and server effectively breaking the "symmetric encryption with a shared key" property of TLS but from the TCP traffic flow, the prover is the man-in-the-middle between server and verifier
I would avoid calling it man-in-the-middle, because this is exactly what it is not. The three-party handshake breaks the TLS key into two parts, one for the prover and the other one for the verifier. The prover with the help of the verifier communicates with the server and forwards all (encrypted) traffic to the verifier. Because the prover does not have the full TLS key he has to cooperate with the verifier for encrypting requests and decrypting responses to/from the server.
in what situation would a "fully trustless proof" work?
"fully trustless proof" sounds like an impossible task because TLS itself does not provide data integrity TLS provides only session key integrity
sounds like this would require the server to provide data integrity by providing signatures of the sent data
tlsnotary.org says
this is already a hard task...
see also
Does a trace of SSL packets provide a proof of data authenticity?
Is it possible to store / record HTTPS client auth traffic as a signed document?
Validate HTTPS traffic at later time