Tech News and Analysis

DR Technology

Search CT Logs for Misconfigured SSL Certificates

Security defenders can run these queries against Certificate Transparency logs to identify misconfigured SSL certificates before they can be used by adversaries to map out attacks.

Recent research revealed how enterprises can make mistakes while deploying security certificates and inadvertently expose company information to malicious actors– but this Tech Tip illustrates how to identify misconfigured certificates before they can cause any issues.

SSL/TLS certificates are issued by certificate authorities to authenticate and secure browser connections. Encryption ensures malicious actors are not able to steal, eavesdrop, or manipulate the online communications while in transit during those browser sessions.

In an analysis of over 900 million public SSL/TLS certificates and associated events, researchers from Detectify Labs discovered that many certificates were exposing information that attackers could use to map out the attack surface, or were misconfigured in ways attackers could take advantage. Domain owners need to continually monitor their SSL certificates for weaknesses or suspicious behavior before they are abused by attackers, says Fredrik Nordberg Almroth, co-founder and security researcher at Detectify.

Track Misconfigured Certs With CT

Certificate Transparency, an open framework for auditing certificates, is one way to find certificates that may be exposing too much information or have been misconfigured, Almroth says. Since CT logs are publicly available, public search tools – such as the web interface or -- can be used to query for certificates and the information they contain.

Tools such as and Censys let domain owners search for a given domain and collect various subdomains and email addresses that are associated with the domain, Almroth says. One way to identify old and insecurely signed certificates is to run search queries for weak hash algorithms on Censys.

"There are several ways an attacker could use public information about SSL/TLS certificates to map out a company's attack surface to understand where the weaknesses are,” Almroth wrote in a summary of the team’s research.

Certificates Expose Too Much Info

Detectify Labs researchers discovered that the “overwhelming majority of newly certified domains” had names descriptive enough to reveal potentially sensitive information. The names could help an attacker map out different systems and applications in the company’s environment or identify specific teams and projects to target in social engineering campaigns. If the domain name refers to a product still in development, that fact could tip off the existence of the product to competitors and allow them to potentially undermine the product before it comes to market.

Information about the certificates – such as its expiration data or the algorithm used to sign the certificates – could also create new entry points into the organization’s infrastructure, the researchers said in the Detectify report. For example, an attacker could create another certificate with the same signature and masquerade as the targeted service and intercept online communications.

Finally, about 13% of the data set analyzed by the researchers used wildcard certificates, which are susceptible to Application Layer Protocols Allowing Cross-Protocol Attack. ALPACA can be used to trick servers with unencrypted protocols to execute cross-site scripting attacks or to steal cookies and user data.

"SSL/TLS certificates make the internet a safer place, but many companies are unaware that their certificates can become a looking glass into the organization -- potentially leaking confidential information and creating new entry points for attackers," the researchers said.

Recommended Reading: