Root Causes 306: Certificate Transparency Logs and Privacy

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  Today, we wanted to talk about CT logs and privacy

• 

  Jason Soroko

  CT logs – it’s been a little while since we talked about them. It’s a common topic. It’s a good one for this podcast. It’s such a great idea to have CT logs, and I’ll tell you something - if I’m an owner of a website or if I’m an owner of a large farm of domains that have certificates issued against them and I have a big important brand, I definitely want to have a public record of issuance. And I want to be able to spot misissuance in my name and be able to audit against it, and these are all good things.

• 

  Tim Callan

  The 30 seconds on CT logs is, for every publicly-issued TLS Certificate, for every SSL Certificate that’s issued on a public root, the CA has to report this to multiple of what were called Certificate Transparency Logs. Then there are tools and crt.sh is the best known of them. It’s not the only one, but it’s the most used, that will then gather the results of these logs together, and it will allow you to have visibility on certificates that are issued, and you can do various kinds of searches and things in order to find the certificates. One application of that, of course, is that you can monitor certificates that are issued against your own domain space. So, you can say, if there are certificates that are being issued against my domains, and I don’t know about it, I can find them through a CT log. And that’s not the only one but one of the motivators behind the original creation of this whole ecosystem.

• 

  Jason Soroko

  When you get into topics of privacy, as much as it is great that I can check my own work and the work of others against the public CT logs, that key word “public” is an important one. And it’s not surprising, Tim, that a lot of enterprises will issue publicly trusted certificates, even if they're not for web servers that will ever be used in the public domain, they’re used exclusively within the enterprise.

• 

  Tim Callan

  Yeah. And so now, the CT log can give anybody, not just me, the owner of that domain or the owner of that brand, but anybody a little bit of a map as to what I have, what my network architecture may look like, at least what the set of my domains may look like. It can show people a subset of the active domains and subdomains, and there is a thought that this could be useful from the perspective of a criminal who is attempting to case your network and figure out a strategy or a plan or an attack plan for trying to do malicious things to you.

• 

  Jason Soroko

  Oh, exactly right. So, Tim, I’m going to try to do an inventory of issues, especially related to privacy. And, so, if you have basically your organization’s internal network structure, you might have subdomains that are internally facing that you’ve issued certificates against and something dot your company name dot com and this and that and the other thing, it might expose parts of the company that, especially depending on your naming conventions, might give away information to competitors or other things. And you might even have personal projects that you’re trying to do that are not faced externally at all. It might even be skunkworks programs – between just yourself and you’re trying to develop IP, you’re trying to invent something, and depending on how you’ve named your subdomains, these things will become public record and publicly available.

• 

  Tim Callan

  Maybe some of that could be masked with enough careful consideration, but doing so might have a toll on the organization. There’s reasons to give people clear names and give names clear hierarchies and architectures, especially if you have large numbers of people working on a project. It eliminates confusion, and it makes it easier for things to run correctly, and if you’re actually going to go out of your way to obfuscate your names in your subdomain and your URL structure, that itself could have a negative impact on the overall operation of the business, at least to some degree.

• 

  Jason Soroko

  And to think diagonally a little bit, Tim. You could imagine that a bad guy could use the timing of a CT log entry as an information gathering tool around the timing of a phishing attack. So, think about a new subdomain being created, a new initiative being created - -

• 

  Tim Callan

  If subdomains always show up Wednesdays between midnight and 2:00 a.m., then you know that that would be the right time to stage a certain attack. Things along those lines, Jay?

• 

  Tim Callan

  Yeah, but it could even be a little more subtle, which is, think about subdomains that are related to CRM systems or internal HR systems, e-mail systems that are new and if a bad guy wants to do a phishing attack and look somehow knowledgeable within an e-mail or through a phone call, any sort of form of social engineering, knowing that a new HR system has popped up might lend itself to a very sophisticated form of phishing, right? And I don’t think I’m giving the bad guys any ideas here. This is fairly well-known. It’s not just the privacy – maybe you don’t want to give away to your competitors the fact that you have certain test servers online that you have issued certificates to. That might be bad enough for you. But on the other hand, you might also be giving away a lot of information to bad guys who are trying to form a sophisticated social engineering attack around the creation of new infrastructure within your company. It’s quite often that information is given away by the way that a subdomain is named and a certificate that is issued against it.

• 

  Tim Callan

  Yeah. And this kind of thing you imagine requires a certain amount of human scrutiny and human study, but if you’re talking about an advanced attack against a high value target, if you’re talking about the kind of thing that goes along with a custom spear-phishing attack, then that is well within the realm of what’s quite practical.

• 

  Jason Soroko

  Tim, I also think, it might be a little bit on the edge, but I think it’s also something to consider. Depending on the type of certificate you have, the certificate will contain the organization name, organizational unit, country, locality, those kinds of things that are often logged along with the certificate and would be part of certificate log information. If that information is sensitive to you, you might not want that information getting out, and so, therefore, the way that you’re creating these certificates, we really should be thinking about, you know, what you’re putting in that CSR and thinking about locality information and org name and making sure you’re not – because whatever you put in there is going to be public, is the point.

• 

  Tim Callan

  Your point being that I could use my corporate headquarters’ address or I could use the address of the actual data center where I’m going to be deploying the certs into racks, and they’d probably both pass authentication. And you’d rather the corporate address was the one that was in the cert because you don’t want to tell an attacker where to come with the backhoe to knock you offline – by way of example.

• 

  Jason Soroko

  Exactly. Sometimes it might not seem like a lot of information, but to the bad guy, any information is a lot, right?

• 

  Tim Callan

  The other thing that occurs to me, Jason, is it could also telegraph business plans. I was told an anecdote by a friend of mine who worked for a different company, and they were working on a new product, and – I forget which way it was – I think they registered for the trademark before they bought the URL or vice versa, I think they registered for the trademark before they bought the URL, and then their chief competitor ran out and bought the URL.

• 

  Jason Soroko

  Right.

• 

  Tim Callan

  Because they had telegraphed their intentions, and this person was telling this to me as a warning, as a lesson, which is do them all at the same time. But you could imagine if people are preparing for, let’s say, a product launch, they might be out registering domains or creating subdomains that telegraph their intentions as a business. And even if they don’t have that exposure like somebody else is going to take away my trademark, they might just have the exposure that my competitors know what I’m up to months before they needed to.

• 

  Jason Soroko

  I bet you there are people who if they’re not full time, a big chunk of their job is competitive intelligence. And they’re looking for these kinds of things. I guarantee it.

• 

  Tim Callan

  If I’m a major corporation, I’m a large food manufacturer, and I suddenly come out with a new domain, right, that is, you know, UltraRichMacAndCheese.com, I think I’ve maybe given away to my competitors what I plan to do. And that might be valuable intelligence that actually makes a difference in terms of dollars and cents in the market. That, too, is the kind of thing that could come out by way of CT logs.

• 

  Jason Soroko

  I would imagine that if you’re in the business of squatting on domain names, one of the best ways to figure out trends in domain name creation is simply to watch CT logs.

• 

  Tim Callan

  Absolutely. And they’re the ones that are being really used. Presumably there is some amount of genuine value and most of the time, some kind of commercial value that is attached to things, if people are bothered to get certificates for them in the first place.

• 

  Jason Soroko

  It’s funny. I wonder how long it’s going to take before somebody comes up with a CT log trending-names website.

  So, Tim, on a similar vein to that, that’s competitive information that you don’t want to get to a competitor. Just to go back to the typical bad guy for a moment. I would also imagine that quite often SSL issuance occurs before the full blown website has been created.

• 

  Tim Callan

  You’d imagine, yeah.

• 

  Jason Soroko

  You’d imagine. And so, I could see bad guy, I’m sure it’s been done – in fact, it’s probably been done a lot – where the bad guy is taking advantage of this arbitrage of, the website not being up yet but the SSL certificate has been issued, and the bad guy creating a fake version of that site and using social engineering to draw people to it for credential harvesting or whatever it happens to be.

• 

  Tim Callan

  That’s an opportunity, and if you maybe could combine that, if you managed to do an DNS poisoning attack, then that could actually be effective.

• 

  Jason Soroko

  There it is. So, that’s a few things, isn’t it, Tim?

• 

  Tim Callan

  Let’s just add, listener, do not misinterpret this conversation as to say that CT logs are under fire in any way. CT logs are widely considered to be a net positive for overall web PKI security and quality. There is no serious talk in any corridors, that I’m hearing, about mitigating or dialing back or eliminating CT logs, but at the same time, I think it’s good to recognize that so many things come with puts and takes, and with CT logs come this new set of potential vulnerabilities or problems or weaknesses or attacks that otherwise wouldn’t exist, and we just wanted to spell out what they are.

• 

  Jason Soroko

  That’s it. That’s it. CT logs are a great idea, but like anything else, it has implications, and I think we spelled out quite a few of them. Probably not completely exhaustive, but that’s at least a few to think about.