Lost and Found Certificates: dealing with residual certificates for pre-owned domains

Presented at DEF CON 26 (2018), Aug. 12, 2018, 1:30 p.m. (20 minutes)

When purchasing a new domain name you would expect that you are the only one who can obtain a valid SSL certificate for it, however that is not always the case. When the domain had a prior owner(s), even several years prior, they may still possess a valid SSL certificate for it and there is very little you can do about it.

Using Certificate Transparency, we examined millions of domains and certificates and found thousands of examples where the previous owner for a domain still possessed a valid SSL certificate for the domain long after it changed ownership. We will review the results from our ongoing large scale quantitative analysis over past and current domains and certificates. We'll explore the massive scale of the problem, what we can do about it, how you can protect yourself, and a proposed process change to make this less of a problem going forwards.

We end by introducing BygoneSSL, a new tool and dashboard that shows an up to date view of affected domains and certificates using publicly available DNS data and Certificate Transparency logs. BygoneSSL will demonstrate how widespread the issue is, let domain owners determine if they could be affected, and can be used to track the number of affected domains over time.

Presenters:

• Dylan Ayrey - Hacker
  Dylan is a security engineer, who in his free time authors lots of open source projects, such as truffleHog. He graduated college in 2015 and has been working in security ever since.
• Ian Foster / lanrat - Hacker   as Ian Foster
  Ian enjoys researching systems and networking problems and solutions in an effort to make the world more secure. He has published research papers analyzing the new gTLD land rush and crawling and parsing most WHOIS records. From demonstrating how insecure aftermarket OBD "dongles" can be used to compromise and take over automobiles; to measuring the paths an email traverses online with encryption in an effort to increase integrity, authenticity, and confidentiality; and more. During the day Ian is a Security Engineer fighting for the users.

Links:

• https://defcon.org/html/defcon-26/dc-26-speakers.html#Foster
• https://infocon.org/cons/DEF CON/DEF CON 26/DEF CON 26 video and slides/DEF CON 26 - Foster and Ayrey - Lost and Found Certificates Dealing with Residual Certificates for Pre-owned Domains.mp4
• https://infocon.org/cons/DEF CON/DEF CON 26/DEF CON 26 video and slides/DEF CON 26 - Foster and Ayrey - Lost and Found Certificates Dealing with Residual Certificates for Pre-owned Domains.srt (subtitles)
• https://www.youtube.com/watch?v=gZ9_-YQ4hoY

Similar Presentations:

• DEF CON 25 (2017) / Abusing Certificate Transparency Logs
• ToorCon San Diego 20 (2018) / Lost and Found Certificates: dealing with residual certificates for pre-owned domains
• 33C3 (2016) / Everything you always wanted to know about Certificate Transparency: (but were afraid to ask)