Lost and Found Certificates

Video thumbnail (Frame 0) Video thumbnail (Frame 3326) Video thumbnail (Frame 4227) Video thumbnail (Frame 7696) Video thumbnail (Frame 10288) Video thumbnail (Frame 11502) Video thumbnail (Frame 15249) Video thumbnail (Frame 18280) Video thumbnail (Frame 19205) Video thumbnail (Frame 20956) Video thumbnail (Frame 22406) Video thumbnail (Frame 23277)
Video in TIB AV-Portal: Lost and Found Certificates

Formal Metadata

Title
Lost and Found Certificates
Alternative Title
Dealing with Residual Certificates for Pre-owned Domains
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
When purchasing a new domain name you would expect that you are the only one who can obtain a valid SSL certificate for it, however that is not always the case. When the domain had a prior owner(s), even several years prior, they may still possess a valid SSL certificate for it and there is very little you can do about it. Using Certificate Transparency, we examined millions of domains and certificates and found thousands of examples where the previous owner for a domain still possessed a valid SSL certificate for the domain long after it changed ownership. We will review the results from our ongoing large scale quantitative analysis over past and current domains and certificates. We'll explore the massive scale of the problem, what we can do about it, how you can protect yourself, and a proposed process change to make this less of a problem going forwards. We end by introducing BygoneSSL, a new tool and dashboard that shows an up to date view of affected domains and certificates using publicly available DNS data and Certificate Transparency logs. BygoneSSL will demonstrate how widespread the issue is, let domain owners determine if they could be affected, and can be used to track the number of affected domains over time.
Domain name Time zone Greatest element Game controller Validity (statistics) Problemorientierte Programmiersprache Real number Image registration Heat transfer Public key certificate Airy function Direct numerical simulation Personal digital assistant Order (biology) POKE Authorization Problemorientierte Programmiersprache Computer-assisted translation Compilation album
NP-hard Content delivery network Purchasing Ocean current Domain name Server (computing) Observational study Problemorientierte Programmiersprache Multiplication sign Decision theory Virtual machine Image registration Mereology Distance Public key certificate Coprocessor Magnetic stripe card Magnetic stripe card Session Initiation Protocol Mathematics Internetworking Operator (mathematics) Chromosomal crossover Negative number Circle Content delivery network Position operator Multiplication Email Validity (statistics) Weight Information and communications technology Mathematical analysis Database transaction Extreme programming CCDA Type theory Personal digital assistant Website Problemorientierte Programmiersprache
Point (geometry) Domain name Group action Service (economics) Sheaf (mathematics) Web browser Public key certificate Power (physics) Number Mach's principle Computer configuration Term (mathematics) Authorization Representation (politics) Traffic reporting Form (programming) Window Information Data management Personal digital assistant Sheaf (mathematics) Boom (sailing) Website Problemorientierte Programmiersprache Right angle Traffic reporting
Content delivery network Slide rule Domain name Greatest element Service (economics) Problemorientierte Programmiersprache Multiplication sign Code division multiple access 1 (number) Real-time operating system Client (computing) Mereology Computer animation Public key certificate Field (computer science) Product (business) Power (physics) Number Order (biology) Causality Authorization Cartesian closed category Content delivery network Metropolitan area network Social class Vulnerability (computing) Service (economics) Email Demo (music) Validity (statistics) Digitizing Sampling (statistics) Bit Type theory Software Personal digital assistant Website Problemorientierte Programmiersprache Right angle
Complete graph Domain name Service (economics) Digital electronics Open source Web browser Replication (computing) Revision control Mathematics Different (Kate Ryan album) Internetworking Authorization Encryption Form (programming) Physical system Vulnerability (computing) Graph (mathematics) Interactive television Density of states Regulärer Ausdruck <Textverarbeitung> System call Type theory Category of being Enumerated type Personal digital assistant Order (biology) Website Problemorientierte Programmiersprache Communications protocol
Domain name Graph (mathematics) Validity (statistics) Multiplication sign Forcing (mathematics) Control flow Directory service Mereology Public key certificate Website Problemorientierte Programmiersprache Circle Right angle
Digital electronics Multiplication sign Image registration Disk read-and-write head Public key certificate Facebook Mechanism design Mathematics Flag Position operator Email Software developer Electronic mailing list Image registration Facebook Internetworking Website Configuration space Problemorientierte Programmiersprache Right angle Row (database) Point (geometry) Web page Domain name Server (computing) Mobile app Service (economics) Link (knot theory) Software developer Problemorientierte Programmiersprache Letterpress printing Control flow Web browser Login Computer animation Webdesign Product (business) Session Initiation Protocol Frequency Internetworking Metropolitan area network Graph (mathematics) Matching (graph theory) Information Cellular automaton Limit (category theory) Graphical user interface Visualization (computer graphics) Personal digital assistant
I have a warm DEFCON welcome for in Foster and Dylan Avery very Airy Eric sorry Lost and Found certificates [Applause] so just as a quick introduction as mentioned this is Ian he's a motorcycle hobbyist and DNS nerd and this is still an electrical bike enthusiast and cat owner you say cat owner yeah basically the problem that we're gonna be talking about today is an SSL certificate from a previous owner is still valid for the next owner of the domain so the previous owner get some real SSL certificate but they're allowed to do for their domain domain either expires for transfers ownership and then the new owner of the domain they maybe don't realize that the previous owner still has a valid SSL certificate and prior to 2013 there was really no way whatsoever to get any visibility of this and really like when you think about it it seems kind of silly but this is even an issue Amy he has an example we have here at the bottom we say Alice registers a domain name in this case a comp one year and gets Nelson else certificate in this case three years more than the one year domain name our registration food comic is unregistered cuz I'll just renew it and then fought Bob later registers food calm get to zone SSL certificate completely unaware that Alice's SSL certificate is still the Oliver's domain name and she can encrypt traffic to it so in order to help try to identify these champions we have certificate transparency this was created as a public on poke the auditable log of all SSL certificates to help catch misbehaving certificate authorities it's currently about half a billion certificates and growing to identify this issue which gives us way more visibility than we had before so basically the previous owner has an SSL certificate and it gets logged in C T we can see it and we know from that that the that there are still certificates for our domain that we don't have control
so we look for like really notable examples of this and and we were able to find some one particular example is first-strike so if you're not familiar with stripe they're a really big online payment processor and a large percentage of transactions that you may have conducted online on e-commerce websites may have actually used stripe under the hood what we found was that the previous owner of stripe comm still had a valid SSL certificate when strike bought and now the crossover was relatively short but it didn't have to be it could have been a five-year sir it could have been all the way up to today so we try to set
out to figure out how big is this issue so we search for transparency to look for certificates that overlapped multiple domain ownerships our operations and the hard part that's try and figure out when a domain name change hands there's no easy way of doing this in the best way we could do look at was the circle who is historical name servers and the wayback machine and we surveyed three million rand domain names from the internet and their associate 7.7 million certificates which makes up just about one percent of the entire Internet it's a fairly small study which should give an edge an idea of what what the whole entire looks like and we look for changes like expiration date email contact registrar changes to try to determine whether or not a domain name has changed hands or not and this type of analysis is not perfect there are both false negatives and false positives but it should go still give us a good idea of what we're looking at and we found that on our dataset about 40 0.45 percent of the domain names were had pre-existing SSL certificates which extrapolated in higher net is about 1.5 million domain names and of the certificates for these one and a half million domain names about 25 percent have not expired and are still valid right now and so we're calling this problem like on SSL which is we're defining as an SSL certificate created before and supersedes is to mames current registration date this is just another way of saying that the SSL certificate spans multiple domain name registrations so what could this be any worse so as maybe you might know a certificate can be valid from multiple domain names in this case we have a certificate for both food calm and Baba calm and it's certificate can be good for domain names and they have changed ownership and some of the main aims may have not changed ownerships and this is in this example or komm has always had the same owner and phu kham may have changed owners one or more times during the distance of this certificate so if it's not immediately clear a lot of CD ends will actually show a whole bunch of customers on the same cert and in this kind of extreme case we found one instance of a CDN putting 700 of their customers on a single certificate and we've made the decision to blur this out because this is still a valid issue but if we were to show the domains used on the certificate I promise everyone in this audience would recognize some of them and what we found was the one unblurred domain there was actually currently unregistered it expired and it was available for purchase so basically we have two
options here of whether or not we can revoke these certificates you know the question is like should we have the right to revoke these certificates if you say no then you can imagine shelling out a whole bunch of money for a new domain maybe for your new startup and you find that there's an old SSL certificate in CT that's gonna last for another five years and you just you can't do anything about it you just have to live with that fact you can imagine a scenario where a bad guy might squat on a whole bunch of desirable looking and mins and just selectively only give them out to e-commerce websites this is I think you'd maintain SSL certificate men in the middle of that traffic and steal financial data on the other hand if you say yes if you can revoke these certificates you get these situations where certificates have both bygone domains on them and non-vegan demands on them a lot of cases are still used to production and if you give the new owner the right to revoke these certificates then all of a sudden they have the power to denial the service the the websites that are still using that certificate for legitimate reasons so it's really a lose-lose scenario so we dug a little deeper and we learned about the CA and browser form and this is a group people are made up of representatives from both web browsers and certificate authorities who create the basin requirements for the issuance and management of publicly show certificates which is just a long document that specifies how CAS and browsers shop right so that the search of authorities can be trusted by the web browsers and in a inside this very long document section 9 6 3 subsection 5 it talks about revocation and reporting of revocation and it does specify that if any information in a certificate becomes inaccurate or incorrect that the certificate authority must revoke the certificate inaccurate that's kind of an
ambiguous term like we found this other section though for point nine one one and this one in my opinion is a lot more explicit it basically says if the domain name registered fails to renew the domain name then the certificate authority becomes made aware of that that certificate authority has to revoke the certificate within 24 hours now we're caveat in us with the fact that we were warned by cab numbers that this document is very ambiguous in some kinds self-contradictory the people that draft this document oftentimes lawyers not actually engineers that being said to the best of our knowledge we have the right and the power to revoke these certificates and we have the power to do so within 24 hours
so going back to the previous example of the certificate of phu kham Barkham where one domain name is changed owners and one is not this now means that if bar.com is still using the certificate that was available through comp or calm the new owner of food calm could reach out to part of calm certificate authority and revoke their certificate and cause of donal service on the other least our users will get an SSL warning and so looking at cases of this where domains to share a certificate with other domain names internships at numbers skyrockets or because of 4 times increase up to 7 million domain names on their network potentially affected about 2 percent and of this sample set about 41 percent just under half still haven't expiring or still valid and potentially still being used so we can break stuff like a lot of stuff and i had the power to revoke something like 3 million certificates and the ca's had a legal obligation to do so within 24 hours and most of those certificates will I should say most a lot of those certificates we're still being used in production so it would have broken all kinds of websites all kind of a lot of the websites are definitely ones that you all are familiar with and so we thought that this basically there's there's no real clean fix to this so we have to just introduce a new class of vulnerability and there's two flavors to this the first flavor is the one that we first introduced it's when you get a new domain and you notice or don't notice you see in the CT log that the previous owner still happens to have a valid SSL certificate we're calling that variant the bygone SSL man-in-the-middle variant and the other type is the type I was just talking about which is if I gonna SSL denial service where you share a certificate and are still using it with an alt name which is expired or been acquired by someone else and that gives them the power to revoke the certificate that you're using if they were to do that that would take on your site slides ago there was that CDN that showed 700 customers on one sir we now realize that if we bought that domain and reached out to the certificate authority we could say hey the previous domain owner failed to renew you have to revoke this thing and we now have the power to revoke it and break 700 customers websites now for a demo I'm gonna be tabbing over to an email client and in real time revoking the cert long way but we we totally have the power to do that do for our
pre-recorded demo we have a couple of certs here that we that we did reach out to the certificate authorities just to see whether or not they would actually revoke them and so for the first example here on the Left four digits er plate I should mention this cert had a subject all name on it and the subject alt name was using that certificate in production we've reached out we said hey one of the domains on this certificate belongs to us can you please revoke the cert and the way we framed the email it seemed like we didn't own the other domain and within 24 hours they just start verified that we did on the one-year man didn't verify the Lee on the other domain they had no problems working the cert so another example here we reached out to Amazon and I should mention also like usually certificates have a little field on them called the CP contact and the CPS contact is basically the email contact you want to reach out when you want to revoke the certificate that's the contact that starts the 24 hour timer when you reach out to that so we did that four digit cert for Amazon they actually didn't have a CPS contact on their certificate and it's kind of hard to reach out to AWS if there's not if you're not like a customer of AWS so we tried to do this the best we can without actually creating an AWS account and we found this public email ec2 abuse at amazon.com and that's the one we reached out to it took a little bit of back and forth and a little bit of we're hoping but eventually that got us to the right the right certificate people took a couple weeks but again they had no problem with looking the certificate for us so this is our pre-recorded demo that failed we reached out to komodo and the same thing reached out to CBS contact asked them to revoke the certificate and to this day and they still haven't revoked the certificate it basically said you're not the original owner like you didn't generate that certificate yet we we're not gonna pay attention to you at all and on the bottom there and you can see they actually tried to use it as an up selling opportunity saying forget about the old certificate will sell you a shiny new one you can just forget about the the one that the previous owner still has so next we tried the
road trip it's using let's encrypt which is a slightly different type of certificate authority they use the acne protocol to try to automate as much as they can with no human interaction and currently if use the acne protocol just try to revoke a certificate they require you to prove ownership of every domain name in the certificate in order to actually map that replication happen so we reached out to their CPS contact and asked them about this and they recognized that that said specified that this is the current policy that they require you to prove ownership of all domains and in certificate to revoke and recognize that it is a slight conflict with the CA State browser form and that they are currently considering a change of policy to prevent this the regs might
exist the case where someone has a certificate for a domain name on that you might have that domain name for which you lost the domain name required from them so a recurrent let's encrypt we were not able to revoke the certificate but it could be possible and you turn implements that it's also worth pointing out that'll be it won't be like 24 hours while the CA reaches out kind of thing because their whole system is real-time automated if you use let's encrypt and one of your domains on your circuit becomes bygone instantly somebody on the internet will be able to revoke your certificate right true so now I'll talk about sir crap this is a tool I made a while ago on the call it's an open source intelligence gathering cool tool that crawls the graph of certificate names it works by you give it a domain name it finds all the SSL certificates that domain name goes through catch all the old names of all the certs gets all the certificates fellows alt names and continues to grow and grow until you get a complete graph of all domain names and certificates for a given domain name or property it's it was built the idea of the domain name enumeration for writing targets but it's very useful trying to find vulnerable domain names for like I sell denial service as well this is an example on the graph generated with this tool I'm on the offense website so one
particular example we found this was at Salesforce so here anderson salesforce.com it create this nice graph and we end up at squarespace.com which is nothing new to salesforce and this was because salesforce.com used to own do calm lost that domain name somehow square so he's got it not should expired the transferred but they kept in the salesforce a calm SSL certificate the one that red dot in the in the center of the circle creed on the left that SSL certificate was good for do calm it was good for calm far after they owned it and after Squarespace had it so salesperson have a valid ssl certificate for another company at this time and this gives one salesforce ability to potentially I'm in the middle Squarespace calm and also scribble calm could have revoked Salesforce SSL certificate taking down their site and if you look like green encircled domains around that so we have a get those are all of the websites that would all of a sudden break if Squarespace decided to revoke this thing within 24 hours yeah
this is taking a little deeper into the do a common example we can see on the right is the certificate in question on the top part we have in red the dates that is valid before and after you can see there's between the two different owners and all the domain names those valid for sales forces and do calm and then the left we have historical and s lookups for this to me name on the screenshot was taken after the domain name had been transferred to where it currently is right now I believe it's like a for sale auction sites some of us can go buy that domain name if they want but on the circle drug part there's when sales force had the domain name in the past so you can see historical name services being hosted at Microsoft AWS and a few other places as well so we
wanted to also introduce the tools specifically crafted for finding this so sir graph is a nice visualization tool we we created a new tool that uses the Facebook certificate transparency API to both detect baigan SSL denial service and bygone SSL man middle now its caveated with the fact that you have to give it accurate information so to detect bygone and SSL man-in-the-middle you need to give it a complete list of all the earth you need to give it the list of all of the mains you own with an accurate date on when you first registered it so maybe you renewed it a couple times and the created date on Whois record doesn't actually reflect the first time you created it you need to make sure that actually reflects the first time you you bought the domain and then to detect I got Nessa cell man in the middle you give it a list of all domains that you own and even we'll go through and see if any of those domains share certificates with domains that you don't own so for this to be accurate you need to give it a complete list of all domains your home as long as you do those two things have an accurate registration date and a complete list of all domains you own you don't get any false positives and it can very accurately detect both flavors in the problem the two downsides to using this tool first you have to create a Facebook Developer account and giving the token and then the second downside is Facebook actually will rate limit you if you hit it too aggressively unless you hit another tool those like myself certificate transparency log monitor and this acts as a certificate transparency actual log we use certain MSL may search bar tool and add it in by gonna sell protection to that so you create a config pop of the domain names for the certificate you want to be alerted for supposed to fly out app date which is the date that you acquired the domain name I know know if it finds a matching shirt they'll print out or notify you the following information like in the screenshot right here and if it happens to notice that the certificate is valid both before and after the data you acquired it like on a cyclist roof lag and those changes have been accepted upstream into a cellmate spot or so you can grab that from them if you want to run your own certificate transparency log monitor although note that we'll look through Ollie half-a-billion certificates in CT and it will take some time but if you want a completely self hosted solution this will work great so if you want to try to protect yourself from being vulnerable from by honest seller have someone else having a ssl certificate for your domain name or potentially revoking one that you're using the best you can do right now is to use the expect CT header with the enforce flag on your HTTP server this will protect you from someone else having a certificate for your domain names that's not in CT and using it on you however this will not do with the case the certificate is already been logged in CT there is no current protection against that the best thing you can do is monitor CT logs using our tools or others for all the SSL certificates for your own domain names and if you see a certificate for your domain name either before issue before you got it or after reach out to the CA and ask them to revoke it and should also point point out that not all certificates will be in CT logs CT was one required for browsers like Chrome as of April this year for non eb certificates certificates issue before then a lot of them are in there I've seen certificates as early 2009 and before and certificate transparency logs but it's not a requirement to be trusted by browsers so now we've got some requests for the general Internet as well you realize like this issue isn't going on this issue isn't going away we have some basically band-aid asks so for example registrar's could notify new when we first registered domain domain name the Registrar gives you a heads-up and say hey we checked C T and the previous owner still has a valid certificate they might even also consider Auto revocation in certain cases another ask is if these certificates are much shorter lived like the let's encrypt 90-day policy the issue is still there but it's there for a shorter period of time we don't have to deal with the the five years she that we talked about before when you do your own vocation it's kind of courteous to heads up to the other people using certificates with subject all names so you don't accidentally break production websites but you know as mentioned before there's no mechanism stopping you from breaking production website and CEA's could also not issue certificates that go on beyond the expiration date of a domain so you do who is on the domain you see the expiration date there's no reason why the certificate should ever outlive that what's the ca's could just not issue cert set that outlet the lifetime wait for the man and then the last bullet point here is really targeted at CDN specifically but also just generally companies you gotta be really careful with the way you use subject alt names if you shove a whole bunch of demands on the same certificate in kind of the worst case they're seven hundred one of them might become expired and that's gonna open yourself up to a stranger revoking your certificate so you know recommendation there is kind of you could do it github is doing with github pages they have every single customer on their own let's encrypt sir it can use a custom domain but if you if you share customers on the same circuit you're opening yourself up all right that concludes our talk on near the links the tools that we talked about and our insecure design website where we have more information on this topic thank you all very much oh and we'll do questions outside [Applause]
Feedback