When purchasing a new domain name you would expect that you are the only one who can obtain a valid SSL certificate for it, however that is not always the case. When the domain had a prior owner(s), even several years prior, they may still possess a valid SSL certificate for it and there is very little you can do about it.
Using Certificate Transparency, we examined millions of domains and certificates and found thousands of examples where the previous owner for a domain still possessed a valid SSL certificate for the domain long after it changed ownership. We will review the results from our ongoing large scale quantitative analysis over past and current domains and certificates. We’ll explore the massive scale of the problem, what we can do about it, how you can protect yourself, and a proposed process change to make this less of a problem going forwards.
We end by introducing BygoneSSL, a new class of vulnerability where prior domain owners may be able to perform a SSL Man in the Middle, and might even be able to revoke your shared certificates potentially causing Denial of Service. We will demonstrate how widespread the issue is, show domain owners how they can determine if they are affected, and how to protect themselves.