← Back to blog

An Append-Only Log Can Lie by Forking

A hash chain cannot rewrite the past. It can still keep two perfect histories and show each observer the one it wants to see. The fix has a name, a theory, and a deployment record almost nobody talks about.

Published July 2026 · 10 min read

In the summer of 2011, someone quietly obtained a valid certificate for *.google.com from a small Dutch certificate authority called DigiNotar. For weeks, that certificate sat in the middle of other people's Gmail sessions. When the forensics firm Fox-IT reconstructed the damage (their report is titled Operation Black Tulip), they counted 531 rogue certificates and found that roughly 300,000 IP addresses, almost all in Iran, had checked the validity of the fake Google certificate while it was live. The attack wasn't caught by any auditor, any CA process, or any log. It was caught because Google had hard-coded its own keys into Chrome, and one user in Iran posted the resulting warning to a help forum. Within a month, DigiNotar was bankrupt.

The security industry's answer to DigiNotar became Certificate Transparency: RFC 6962, published in 2013 by Ben Laurie, Adam Langley, and Emilia Kasper at Google. The idea is beautifully blunt. Every certificate ever issued gets appended to public, cryptographically verifiable, append-only logs. A certificate that isn't in the logs doesn't get trusted. A fraudulent certificate that is in the logs is sitting in public view, where the domain's real owner can spot it. No more secret certificates; the record sees everything.

Append-only Merkle logs have since become the reflex answer whenever software people need a trustworthy record: certificate logs, package and binary transparency, key directories, supply-chain attestations, audit trails for AI agents. The reflex is grounded in real cryptography, because these structures genuinely cannot be silently rewritten. But there is a gap between what the cryptography proves and what we casually believe it proves, and the gap has a name, an attack, a twenty-year-old theory, and a fix that almost nobody deploys.

The gap is this: an append-only log cannot lie about the past, but it can lie by forking, by maintaining two internally perfect histories and showing you the one it wants you to see.

What the hash chain actually promises

Start with what the cryptography really does, because the strength of the true claim is what makes the false claim so seductive.

In a Merkle hash chain or tree, every entry is hashed, and every subsequent state commits to everything before it. If anyone alters entry five, every hash after entry five stops matching. Given a signed tree head, a compact digest of the whole log, you can demand an inclusion proof (“entry X is in this tree”) and a consistency proof (“this tree is an append-only extension of the tree you saw yesterday”). Both proofs are small, fast, and unforgeable. This is tamper-evidence, and it is real. Within a single history, the past is fixed.

Now look at what every one of those proofs has in common: they are all statements about one tree, verified by one observer. Your inclusion proof says your entry is in the tree you were shown. Your consistency proof says the tree you were shown today extends the tree you were shown yesterday. Nothing in the mathematics, nothing at all, says that the tree you were shown is the tree anyone else was shown.

A dishonest log operator doesn't need to rewrite history. It can simply keep two histories. Yours contains the entry that placates you; the world's omits it. Both are flawless append-only Merkle trees. Every proof you request will verify. Every proof anyone else requests will verify. Each observer, checking alone, sees a perfect log. The lie doesn't live in either history. It lives in the space between observers, exactly where no local verification can ever reach.

In Certificate Transparency this is called a split-view attack, and it defeats the whole point of the system: a compromised log shows the victim a tree in which the fraudulent certificate is properly logged (so the victim's browser accepts it), while showing the domain owner and the monitors a clean tree (so nobody raises an alarm). RFC 6962 knew about it from the start. The fix it names is the subject of this essay.

The one-way door

The theory here is older than Certificate Transparency, and it's one of the most elegant results in systems security. In 2004, Jinyuan Li, Maxwell Krohn, David Mazières, and Dennis Shasha built SUNDR, a network file system designed to run on a server you don't trust, and asked what integrity guarantee is even possible in that setting. The answer they proved out is called fork consistency, and it has a shape worth memorizing.

An untrusted server can always equivocate, showing client A one state and client B another. You cannot cryptographically prevent it. What you can do is arrange the protocol so that the moment the server forks two clients' views, it can never merge them back together. Serving A something B didn't see commits the server to maintaining separate, diverging universes for A and B forever, faking each one consistently until the end of time. The fork is a one-way door. And that means the fork is detectable, guaranteed, the first time A and B ever compare notes through any channel the server doesn't control.

Read that guarantee carefully, because both halves matter. The strong half: one conversation between two forked observers, ever, and the lie is exposed, not as suspicion but as proof. The weak half: a client who never compares notes with anyone can be forked silently, forever, with no cryptographic tripwire. The security property is not in the data structure. It's conditional on communication. The academic literature states this with unusual crispness. A 2019 CCS paper by Alin Tomescu and colleagues lays the two layers side by side: tamper-evidence keeps any single history honest, while fork consistency ensures that once two users have been shown different digests they must be shown different digests forever, which is exactly what lets users gossip to detect forks.

There's the word: gossip. The trust layer of every transparency system is not the Merkle tree. It's observers telling each other what they saw.

The part everyone shipped, and the part nobody did

In Certificate Transparency, gossip means exchanging signed tree heads. An STH is the log's own signed statement: “at size N, my root hash is R.” If any two parties can produce two validly signed STHs from the same log, at the same tree size, with different root hashes, that is non-repudiable, court-grade proof of equivocation. Not evidence of a glitch; a signature on each half of a contradiction. One comparison, and a lying log is dead.

Which makes the deployment history uncomfortable. RFC 6962 explicitly deferred the gossip mechanism to a separate future document, and that future document never hardened into a deployed standard. For years, the ecosystem ran with the tamper-evident half fully shipped (browsers demanding logged certificates, logs serving beautiful proofs) while the anti-equivocation half, the one mechanism that actually catches a split view, existed as drafts, research prototypes, and partial vendor infrastructure. The system everyone cited as “cryptographically trustworthy” was, for its trust-critical property, running substantially on the assumption that log operators wouldn't try it, an assumption backed by reputations and audits rather than by the math everyone thought was doing the work. (The situation has improved. CT v2 in RFC 9162, monitor infrastructure, and witness networks have grown up around the gap, but the years-long lag is the instructive part.)

I want to be fair to the cryptographers here, because the overclaim isn't theirs. The careful papers never said append-only meant globally consistent; “immutable therefore trustworthy” is the popular reading, the one that creeps into architecture decks and compliance checklists. The precise claim was always: proofs against a single view. The imprecise belief, that a hash chain by itself makes a record honest, is how you end up shipping the easy 90% of a trust system and skipping the load-bearing 10%.

How expensive equivocation really is

If you want a measure of just how central this one trick of telling different audiences different stories is to the whole problem of trust, there's a remarkable result from Byzantine fault tolerance. The classic bound, proved in the 1980s, says a distributed system can survive arbitrary (Byzantine) misbehavior only if fewer than one-third of its nodes are faulty. That third is the tax equivocation charges: the protocols burn most of their machinery on the possibility that a faulty node says “yes” to one peer and “no” to another.

In 2007, Byung-Gon Chun and colleagues built A2M, Attested Append-Only Memory, a tiny trusted log with one job: a node can only ever say one thing, because everything it says gets sequenced into an attested append-only record. Nodes physically can't equivocate. With just that primitive added, the fault bound moves from less than a third to less than a half, and for safety alone, to less than two-thirds. Remove the ability to fork your story, and the hardest problem in distributed computing gets dramatically easier. That's the price tag: equivocation isn't a problem in distributed trust, it's the problem, worth building special hardware just to delete.

Blockchains, seen through this lens, are the brute-force purchase of the same property. A double-spend is precisely an equivocation, telling one branch of the network the coin went left while telling another it went right. Nakamoto consensus is a planetary-scale, energy-priced gossip protocol whose entire output is one shared history; the famous 51% attack is simply what it costs to overpower the anti-forking layer. And the same problem, in quieter clothes, sits inside your messaging apps: a key-directory server that hands an attacker's public key to you and your real key to everyone else has forked its story about who you are. CONIKS, the 2015 work that seeded today's “key transparency” deployments, is the same medicine again: signed digests of the directory, and users cross-checking them.

One flaw. One fix. Everywhere.

Two sets of books

Here's why this belongs in the trust literature and not just the systems literature: the split-view attack is the cryptographic form of the oldest fraud there is.

Keeping two sets of books works precisely because each auditor sees one internally consistent set. The politician's donor pitch and stump speech work because the audiences don't attend each other's meetings. The con artist's marks each hold a story that checks out against itself. In every case the lie is invisible to the isolated observer, no matter how diligent, because the isolated observer is verifying consistency, and consistency is exactly what the liar is happy to provide, separately, to each of you.

And the social fixes are gossip protocols. Investigative journalism is cross-checking sources, collecting STHs from observers who weren't supposed to compare. A whistleblower is a node leaking one fork's history into the other fork. Public records, mandatory disclosures, adversarial audits: institutionalized digest-exchange. Societies learned, long before Merkle trees, that a record does not create trust, however official and however beautifully bound. A community that compares records creates trust. The ledger's authority was never really the ink; it was everyone in the market square seeing the same ledger.

That's the deep lesson the cryptography ends up re-teaching: transparency without gossip is theater. A published log that no independent parties cross-check is a stage prop. It performs accountability to each viewer individually while guaranteeing nothing between them.

The checklist: who compares digests?

The practical payoff is a single question you can ask of any system that claims an immutable audit trail: a compliance log, a model-training provenance chain, an AI agent's action record, a package registry, your own product's “tamper-proof” feature. The question is not “is it append-only?” It's: who compares digests, with whom, and over what channel the log operator doesn't control?

Concretely, four properties to demand, in increasing order of strength:

  1. Signed checkpoints, published where they can't be retracted. The log must regularly emit signed tree heads, and they must land somewhere the operator can't quietly vary per-audience: a widely mirrored feed, another organization's log, a newspaper if you're old-school. A digest shown only on the operator's own endpoint can be forked per-viewer like everything else.
  2. Independent witnesses. At least two parties who don't share the operator's incentives must fetch, store, and compare those checkpoints. This is now recognized infrastructure. The transparency ecosystem (the same open-source machinery, like Google's Trillian, that runs CT and key-transparency logs) has grown explicit witness networks whose whole job is co-signing checkpoints they've verified consistent. Two witnesses that compare notes convert “tamper-evident” into “can't equivocate without being caught.”
  3. Mandatory consistency proofs between checkpoints. Every client, on every sync, should verify that today's tree extends yesterday's, so a fork, once entered, must be maintained forever against that client. That's the SUNDR one-way door: it makes eventual detection a certainty rather than a hope.
  4. An alarm with teeth. Decide in advance what happens when two conflicting signed heads surface. The beauty of the construction is that this evidence is self-authenticating (two signatures, one contradiction), so the response can be automatic and ruthless: distrust the log, roll the keys, publish the proof.

And carry the honest edges with you. Detection is not prevention, because a forked victim may be exploited before any comparison happens, so gossip frequency is a security parameter, not a nicety. Gossip has a privacy cost: in CT, naively sharing which tree heads you've seen can leak which sites you visit, and real designs must manage that tension. And the exotic escapes, trusted hardware like A2M, or global consensus, don't remove the trust assumption; they relocate it, to an attestation key or a majority of stake. There is no purely local, purely cryptographic route to non-equivocation. Someone has to talk to someone.

Which is, in the end, a rather humane conclusion for a security result. The math can seal the past; it cannot make an authority tell everyone the same story. Only an audience that compares notes can do that, in TLS, in messaging, in bookkeeping, in journalism, in every institution that has ever been audited. Build the log, by all means. Then build the conversation around it, because that's where the trust actually lives.

Building an audit trail for an AI agent? Ask the checklist question of your own log first. Chain-of-Consciousness gives an agent a signed, append-only record of what it decided and why, structured so independent parties can fetch and compare checkpoints rather than take one operator's word for the history.

Install it:

pip install chain-of-consciousness
npm install chain-of-consciousness

Or use the managed version, with checkpoints published where you don't have to run the infrastructure yourself: Hosted Chain-of-Consciousness.

Sources

Fox-IT (2011–2012). Operation Black Tulip / Black Tulip Report, the DigiNotar breach investigation (531 rogue certificates; ~300,000 mostly-Iranian IPs contacting the rogue *.google.com certificate's OCSP).

Laurie, B., Langley, A., & Kasper, E. (2013). Certificate Transparency. IETF RFC 6962 (gossip mechanism explicitly deferred); updated by RFC 9162, Certificate Transparency Version 2.0 (2021).

Li, J., Krohn, M., Mazières, D., & Shasha, D. (2004). “Secure Untrusted Data Repository (SUNDR).” OSDI 2004, fork consistency; forked views can never be merged back.

Chun, B.-G., Maniatis, P., Shenker, S., & Kubiatowicz, J. (2007). “Attested Append-Only Memory: Making Adversaries Stick to Their Word.” SOSP 2007, eliminating equivocation raises the Byzantine fault bound from <1/3 to <1/2 (<2/3 safety-only).

Melara, M. S., Blankstein, A., Bonneau, J., Felten, E. W., & Freedman, M. J. (2015). “CONIKS: Bringing Key Transparency to End Users.” USENIX Security 2015.

Tomescu, A., Bhupatiraju, V., Papadopoulos, D., Papamanthou, C., Triandopoulos, N., & Devadas, S. (2019). “Transparency Logs via Append-Only Authenticated Dictionaries.” ACM CCS 2019, tamper-evidence vs fork consistency, and gossip as the fork detector.

Trillian / transparency.dev, the open-source append-only log engine and witness ecosystem behind Certificate Transparency and key-transparency deployments.