The Rise of Certificate Transparency and Its Implications on the Internet Ecosystem

In this paper, we analyze the evolution of Certificate Transparency (CT) over time and explore the implications of exposing certificate DNS names from the perspective of security and privacy. We find that certificates in CT logs have seen exponential growth. Website support for CT has also constantly increased, with now 33% of established connections supporting CT. With the increasing deployment of CT, there are also concerns of information leakage due to all certificates being visible in CT logs. To understand this threat, we introduce a CT honeypot and show that data from CT logs is being used to identify targets for scanning campaigns only minutes after certificate issuance. We present and evaluate a methodology to learn and validate new subdomains from the vast number of domains extracted from CT logged certificates.

[1]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[2]  D. Dittrich,et al.  The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research , 2012 .

[3]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[4]  Ben Laurie Certificate Transparency , 2014, ACM Queue.

[5]  Bruce M. Maggs,et al.  Measuring and Applying Invalid SSL Certificates: The Silent Majority , 2016, Internet Measurement Conference.

[6]  J. Alex Halderman,et al.  Towards a Complete View of the Certificate Ecosystem , 2016, Internet Measurement Conference.

[7]  Mark Allman,et al.  Ethical considerations in network measurement papers , 2016, Commun. ACM.

[8]  Marcin Nawrocki,et al.  A Survey on Honeypot Software and Data Analysis , 2016, ArXiv.

[9]  Volker Roth,et al.  Towards Better Internet Citizenship: Reducing the Footprint of Internet-wide Scans by Topology Aware Prefix Selection , 2016, Internet Measurement Conference.

[10]  Bruce M. Maggs,et al.  Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem , 2016, CCS.

[11]  Georg Carle,et al.  Mission accomplished?: HTTPS security after diginotar , 2017, Internet Measurement Conference.

[12]  Georg Carle,et al.  Push away your privacy: Precise user tracking based on TLS client certificate authentication , 2017, 2017 Network Traffic Measurement and Analysis Conference (TMA).

[13]  Niklas Carlsson,et al.  A First Look at the CT Landscape: Certificate Transparency Logs in Practice , 2017, PAM.

[14]  Georg Carle,et al.  Large-scale classification of IPv6-IPv4 siblings with variable clock skew , 2016, 2017 Network Traffic Measurement and Analysis Conference (TMA).

[15]  Georg Carle,et al.  Towards an Ecosystem for Reproducible Research in Computer Networking , 2017, Reproducibility@SIGCOMM.

[16]  Deepak Kumar,et al.  Tracking Certificate Misissuance in the Wild , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[17]  Georg Carle,et al.  In Log We Trust: Revealing Poor Security Practices with Certificate Transparency Logs and Internet Measurements , 2018, PAM.

[18]  Niklas Carlsson,et al.  Server-Side Adoption of Certificate Transparency , 2018, PAM.

[19]  Ralph Holz,et al.  A First Look at Certification Authority Authorization (CAA) , 2018, CCRV.