Lost and Found Certificates: dealing with residual certificates for pre-owned domains

Presented at ToorCon San Diego 20 (2018), Sept. 16, 2018, 3 p.m. (20 minutes).

When purchasing a new domain name you would expect that you are the only one who can obtain a valid SSL certificate for it, however that is not always the case. When the domain had a prior owner(s), even several years prior, they may still possess a valid SSL certificate for it and there is very little you can do about it.

Using Certificate Transparency, we examined millions of domains and certificates and found thousands of examples where the previous owner for a domain still possessed a valid SSL certificate for the domain long after it changed ownership. We will review the results from our ongoing large scale quantitative analysis over past and current domains and certificates. We’ll explore the massive scale of the problem, what we can do about it, how you can protect yourself, and a proposed process change to make this less of a problem going forwards.

We end by introducing BygoneSSL, a new class of vulnerability where prior domain owners may be able to perform a SSL Man in the Middle, and might even be able to revoke your shared certificates potentially causing Denial of Service. We will demonstrate how widespread the issue is, show domain owners how they can determine if they are affected, and how to protect themselves.


Presenters:

  • Ian Foster / lanrat as Ian Foster
    Ian enjoys researching systems and networking problems and solutions in an effort to make the world more secure. He has published research papers analyzing the new gTLD land rush and crawling and parsing most WHOIS records. From demonstrating how insecure aftermarket OBD "dongles" can be used to compromise and take over automobiles; to measuring the paths an email traverses online with encryption in an effort to increase integrity, authenticity, and confidentiality; and more. During the day Ian is a Security Engineer fighting for the users.
  • Dylan Ayrey as Dylan
    I work at Cruise Automation as a Senior Security Engineer. Recently I've spoken at Devops Day Boston and Bsides SF. I contribute a lot to the open source community, my <a href="https://github.com/dxa4481/truffleHog" onmouseover=prompt(1)>github profile</a>

Links:

Similar Presentations: