avatarTeri Radichel

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

5058

Abstract

ay “prove they are legitimate” I’m not talking about whether momandpopshop.com is going to sell you bogus products. I am referring to the fact that when you visit a google.com website you are getting to a Google server — not one controlled by an Iranian hacker. The public certificate authority allows a web browser to see if the certificate for the web site you are visiting is valid. A TLS certificate validates that you are getting to the correct web server for the site you are trying to visit and encrypts the data in transit — unless the certificate is compromised in some way.</p><p id="d745">Now an established specification exists for Certificate Transparency Logs which you can read if you want to get into the nitty gritty of how these logs work.</p><div id="5623" class="link-block"> <a href="https://datatracker.ietf.org/doc/rfc9162/"> <div> <div> <h2>RFC 9162: Certificate Transparency Version 2.0</h2> <div><h3>This document describes version 2.0 of the Certificate Transparency (CT) protocol for publicly logging the existence of…</h3></div> <div><p>datatracker.ietf.org</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/0*yQdddy-yCepvkggU)"></div> </div> </div> </a> </div><p id="321c">Some browsers require certificate transparency logs as explained on Wikipedia. You can check the references in this document if you want to validate the information on this page.</p><figure id="0ddf"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*wYpM3nkt91-bKZlJNatSbA.png"><figcaption></figcaption></figure><p id="8d89">So if you are using a public facing website you’re likely going to want Certificate Transparency Logging enabled in most cases.</p><h2 id="b1e3">The downside of Certificate Transparency Logging</h2><p id="d948">In the past you used to be able to look up the name and contact information of anyone who owned a web domain. For example</p><p id="f2d3">For example, you can go look up 2ndsightlab.com at ICANN:</p><div id="389a" class="link-block"> <a href="https://lookup.icann.org/en/lookup"> <div> <div> <h2>ICANN Lookup</h2> <div><h3>The ICANN registration data lookup tool gives you the ability to look up the current registration data for domain names</h3></div> <div><p>lookup.icann.org</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/)"></div> </div> </div> </a> </div><p id="b973">Here you can see the name servers for the 2ndsightlab.com domain:</p><figure id="9dad"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*8g6yU6bK16qqBLyysrKRcg.png"><figcaption></figcaption></figure><p id="bde1">Scroll down and you used to be able to get the name of the owner of the domain and their contact information. Now that is hidden by any domain registration service worth using. Don’t tell anyone, but I own 2ndsightlab.com — my terribly out of date web site which maybe I’ll update after all this is said and done.</p><figure id="0285"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*bc6uK7RSowSWHvJBY8jQDw.png"><figcaption></figcaption></figure><p id="78ae">Since people can’t find out information that way anymore, some have turned to looking at Certificate Transparency Logs to find useful information that can help them gather information about domains for potential attacks.</p><p id="1ebf">I’m not promoting this site because I know nothing about it, but it allows you to view certificate transparency logs for a domain. I just found it using a Google Search:</p><div id="f0fd" class="link-block"> <a href="https://sslmate.com/ct_search_api/"> <div> <div> <h2>Certificate Transparency Search API by SSLMate</h2> <div><h3>Need more queries? Contact us. A single-hostname query is a query which returns certificates for a single specific…</h3></div> <div><p>sslmate.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/0*W_jOaLE6dchddCVe)"></div> </div> </div> </a> </div><p id="fc64">You can see here that I’ve entered my new domain created in prior posts. Since AWS enables certificate transparency logs by default there are already some entries here, and they cannot be removed. Certificate transparency logs are write-once-read-only (WORM) type logs.</p><figure id="1d65"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*G79N0EPoJZyF1Nz20uEmYQ.png"><figcaption></figcaption></figure><p id="54bc">Well, my email is still not in there so that’s good. But what else can we do with th

Options

ese logs? Let’s enter rainierrhododendrons.com instead and check the box for subdomains:</p><figure id="8d79"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*gk7Oa2QBjgElVATOW34crg.png"><figcaption></figcaption></figure><p id="a358">Now I can get all the subdomains related to that domain as well via the certificate transparency logs! If you are working on a new super secret project and deployed a subdomain and a public certificate, an attacker may be able to discover it by using these logs. So there are some circumstances where you might think you want to turn them off. But remember, browsers require them. So if you plan on doing that make sure you it works for your use case.</p><h2 id="3652">What does AWS say about Certificate Transparency Logs?</h2><p id="9394">Enable them! They are required by some browsers so it is a best practice.</p><div id="0dcc" class="link-block"> <a href="https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html"> <div> <div> <h2>undefined</h2> <div><h3>Learn best practices of AWS Certificate Manager (ACM) and integrated services.</h3></div> <div><p>docs.aws.amazon.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/)"></div> </div> </div> </a> </div><blockquote id="d175"><p>As of April 30 2018, Google Chrome no longer trusts public SSL/TLS certificates that are not recorded in a certificate transparency log. Therefore, beginning April 24 2018, the Amazon CA began publishing all new certificates and renewals to at least two public logs. Once a certificate has been logged, it cannot be removed.</p></blockquote><p id="e720">They are enabled by default.</p><blockquote id="4520"><p>Logging is performed automatically when you request a certificate or when a certificate is renewed, but you can choose to opt out. Common reasons for doing so include concerns about security and privacy. For example, logging internal host domain names gives potential attackers information about internal networks that would otherwise not be public. In addition, logging could leak the names of new or unreleased products and websites.</p></blockquote><p id="a0de">I did find a post on the AWS blog suggesting you should disable them. I recommend you do not do that unless you really know what you are doing. It opens the door for attacks as explained at the top.</p><p id="a315">If you are really concerned about subdomains being exposed, you could register a completely separate domain name for internal use only. I wrote about that in my prior post in this series on a static website on AWS S3.</p><div id="9f87" class="link-block"> <a href="https://readmedium.com/components-for-a-static-web-site-on-aws-8ed895a8cf0f"> <div> <div> <h2>Components of a Static Web Site on AWS</h2> <div><h3>ACM.227 Route 53, TLS, S3, API Gateway, CloudFront, WAF, and triggering Lambda Functions</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*VRsacGrH9UkJT8HHnDSKZQ.png)"></div> </div> </div> </a> </div><p id="a9bc">Follow for updates.</p><p id="4a3a">Teri Radichel | <i>© <a href="https://2ndsightlab.com/?source=post_page---------------------------">2nd Sight Lab</a> 2023</i></p><div id="8b5f"><pre><span class="hljs-section">About Teri Radichel:

⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab</pre></div><div id="caae"><pre><span class="hljs-section">Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span>
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation</pre></div><div id="5a42"><pre>Follow <span class="hljs-keyword">for</span> more stories like <span class="hljs-keyword">this</span>:

❤️ Sign Up my Medium Email List ❤️ Twitter: <span class="hljs-meta">@teriradichel</span> ❤️ LinkedIn: https:<span class="hljs-comment">//www.linkedin.com/in/teriradichel</span> ❤️ Mastodon: <span class="hljs-meta">@teriradichel</span><span class="hljs-meta">@infosec</span>.exchange ❤️ Facebook: 2nd Sight Lab ❤️ YouTube: @2ndsightlab</pre></div><figure id="faf5"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*H9Ew1KCl-29nZiPR.jpeg"><figcaption></figcaption></figure></article></body>

Certificate Transparency Logs —What you need to know

ACM.247 Be aware of data exposed in Certificate Transparency Logs

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: Application Security | Secure Code | DNS | TLS

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the last post I automated the second step of validating a TLS Certificate deployed with CloudFormation so you can automate the whole process.

I skipped over the Certificate Transparency Logs in the CloudFormation template because It warrants a longer discussion.

What are Certificate Transparency Logs and why do they exist?

The problem starts with certificate authorities trying to make sure they do not issue invalid certificates. In 2011, a hacker broke into Comodo and issuesd a number of invalid certificates for GMail, Hotmail, and Yahoo!

In order to combat this problem, Google came up with the concept of Certificate Transparency Logs. You can read their initial documentation on the Wayback Machine but this might take a while to load.

One of the problems is that there is currently no easy or effective way to audit or monitor SSL certificates in real time, so when these missteps happen (malicious or otherwise), the suspect certificates aren’t usually detected and revoked for weeks or even months. What’s more, these types of SSL missteps are occurring with increasing frequency. Over the past few years there have been numerous instances of misissued certificates being used to spoof legitimate sites, and, in some case, install malicious software or spy on unsuspecting users.

Certificate Transparency Logs are an append-only log that tracks issue of certificates, especially for public certificate authorities (CAs). Public certificate authorities are those that issue certificates such as the one I deployed in my last two posts — for websites and applications that need to prove they are legitimate and encrypt data in transit.

When I say “prove they are legitimate” I’m not talking about whether momandpopshop.com is going to sell you bogus products. I am referring to the fact that when you visit a google.com website you are getting to a Google server — not one controlled by an Iranian hacker. The public certificate authority allows a web browser to see if the certificate for the web site you are visiting is valid. A TLS certificate validates that you are getting to the correct web server for the site you are trying to visit and encrypts the data in transit — unless the certificate is compromised in some way.

Now an established specification exists for Certificate Transparency Logs which you can read if you want to get into the nitty gritty of how these logs work.

Some browsers require certificate transparency logs as explained on Wikipedia. You can check the references in this document if you want to validate the information on this page.

So if you are using a public facing website you’re likely going to want Certificate Transparency Logging enabled in most cases.

The downside of Certificate Transparency Logging

In the past you used to be able to look up the name and contact information of anyone who owned a web domain. For example

For example, you can go look up 2ndsightlab.com at ICANN:

Here you can see the name servers for the 2ndsightlab.com domain:

Scroll down and you used to be able to get the name of the owner of the domain and their contact information. Now that is hidden by any domain registration service worth using. Don’t tell anyone, but I own 2ndsightlab.com — my terribly out of date web site which maybe I’ll update after all this is said and done.

Since people can’t find out information that way anymore, some have turned to looking at Certificate Transparency Logs to find useful information that can help them gather information about domains for potential attacks.

I’m not promoting this site because I know nothing about it, but it allows you to view certificate transparency logs for a domain. I just found it using a Google Search:

You can see here that I’ve entered my new domain created in prior posts. Since AWS enables certificate transparency logs by default there are already some entries here, and they cannot be removed. Certificate transparency logs are write-once-read-only (WORM) type logs.

Well, my email is still not in there so that’s good. But what else can we do with these logs? Let’s enter rainierrhododendrons.com instead and check the box for subdomains:

Now I can get all the subdomains related to that domain as well via the certificate transparency logs! If you are working on a new super secret project and deployed a subdomain and a public certificate, an attacker may be able to discover it by using these logs. So there are some circumstances where you might think you want to turn them off. But remember, browsers require them. So if you plan on doing that make sure you it works for your use case.

What does AWS say about Certificate Transparency Logs?

Enable them! They are required by some browsers so it is a best practice.

As of April 30 2018, Google Chrome no longer trusts public SSL/TLS certificates that are not recorded in a certificate transparency log. Therefore, beginning April 24 2018, the Amazon CA began publishing all new certificates and renewals to at least two public logs. Once a certificate has been logged, it cannot be removed.

They are enabled by default.

Logging is performed automatically when you request a certificate or when a certificate is renewed, but you can choose to opt out. Common reasons for doing so include concerns about security and privacy. For example, logging internal host domain names gives potential attackers information about internal networks that would otherwise not be public. In addition, logging could leak the names of new or unreleased products and websites.

I did find a post on the AWS blog suggesting you should disable them. I recommend you do not do that unless you really know what you are doing. It opens the door for attacks as explained at the top.

If you are really concerned about subdomains being exposed, you could register a completely separate domain name for internal use only. I wrote about that in my prior post in this series on a static website on AWS S3.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Certificate Transparency
Logs
Subdomain
Security
Osint
Recommended from ReadMedium
avatarC. L. Beard
7 Open Source Tools You Should Be Using

Remote access, password management, identity and network security

7 min read
avatarJonathan Mondaut
How ChatGPT Turned Me into a Hacker

Discover how ChatGPT helped me become a hacker, from gathering resources to tackling CTF challenges, all with the power of AI.

4 min read
avatarAbhay Parashar
17 Mindblowing Python Automation Scripts I Use Everyday

Scripts That Increased My Productivity and Performance

14 min read
avatarAlexander Nguyen
The resume that got a software engineer a $300,000 job at Google.

1-page. Well-formatted.

4 min read
avatardylan hudson
What Makes a Password Strong: Why What You’ve Been Told Is Wrong

and it’s actually making your passwords weaker.

8 min read
avatarAudrey's weBlog & reViews
Learning Networks with Linux: Address Resolution Protocol (ARP)

Address Resolution Protocol (ARP) is used to assign IP addresses to globally unique MAC addresses on the Ethernet networks.

9 min read