logo

Lost and Found Certificates: dealing with residual certificates for pre-owned domains

Conference:  Defcon 26

2018-08-01

Summary

The presentation discusses the issue of certificate transparency and the need for better security measures to prevent unauthorized revocation of certificates.
  • There is a need for better security measures to prevent unauthorized revocation of certificates
  • Registrars could notify new domain name owners if the previous owner still has a valid certificate
  • Certificates with shorter lifetimes can reduce the risk of unauthorized revocation
  • Careful management of subject all names is necessary to prevent certificate revocation
  • An anecdote is provided to illustrate the potential danger of sharing a certificate with expired or acquired alt names
The presenter provides an example of how they were able to successfully revoke a certificate from a certificate authority by claiming ownership of one of the domains listed on the certificate. However, they were unsuccessful in revoking a certificate from another certificate authority who did not recognize their claim of ownership. This highlights the need for better security measures to prevent unauthorized revocation of certificates.

Abstract

When purchasing a new domain name you would expect that you are the only one who can obtain a valid SSL certificate for it, however that is not always the case. When the domain had a prior owner(s), even several years prior, they may still possess a valid SSL certificate for it and there is very little you can do about it. Using Certificate Transparency, we examined millions of domains and certificates and found thousands of examples where the previous owner for a domain still possessed a valid SSL certificate for the domain long after it changed ownership. We will review the results from our ongoing large scale quantitative analysis over past and current domains and certificates. We'll explore the massive scale of the problem, what we can do about it, how you can protect yourself, and a proposed process change to make this less of a problem going forwards. We end by introducing BygoneSSL, a new tool and dashboard that shows an up to date view of affected domains and certificates using publicly available DNS data and Certificate Transparency logs. BygoneSSL will demonstrate how widespread the issue is, let domain owners determine if they could be affected, and can be used to track the number of affected domains over time.

Materials:

Tags: