Certifiably Vulnerable: Using Certificate Transparency Logs for Target ReconnaissanceDownload PDFOpen Website

Stijn Pletinckx, Thanh-Dat Nguyen, Tobias Fiebig, Christopher Kruegel, Giovanni Vigna

Published: 01 Jan 2023, Last Modified: 05 Oct 2023EuroS&P 2023Readers: Everyone
Abstract: The Web PKI ecosystem provides an underlying layer of security to many Internet protocols used today. By relying on Certificate Authorities (CAs), communication can be authenticated and encrypted based on a chain of trust. Unfortunately, this chain of trust has been broken in the past. For instance, in 2011, adversaries managed to issue fraudulent certificates on behalf of the DigiNotar CA, resulting in a loss of trust in DigiNotar. To better detect fraudulent certificates, Google introduced the concept of Certificate Transparency (CT), which is based on append-only logs that allow one to monitor and detect wrongly issued X.509 certificates.In this work, we investigate the potential of these logs as a data source for target reconnaissance. Concretely, we divide our study into two parts: First, we deploy several honeypot web servers over a period of 200 days to study the effect on incoming scanning traffic after pushing a certificate to one or more CT logs. We find that adding a certificate to a CT log leads to incoming network probes, just seconds after publishing the entry. This suggests that CT logs are used as input for web scans. In the IPv6 address space, our web server received 2,700 packets after pushing our certificate to a CT log, compared to 0 packets in our control group.Second, we use large-scale active measurements to find potentially vulnerable domains from CT log data. Using certificate issuance and renewal patterns, we identify websites that are either at the beginning or at the end of their life cycle. Our results show that freshly deployed websites are not more likely to contain a known CVE compared to websites that just renewed their certificate. On the other side of the spectrum, however, we find that websites with an expired certificate, yet still deployed in the wild, tend to contain more outdated software, and hence more known CVEs. As such, CT logs can indeed function as a data source for target reconnaissance.
0 Replies