Measuring the Impact of Certificate Transparency on Scanning Traffic

Abstract

Certificate transparency (CT) is a system that publishes all issued certificates so that they can be audited and monitored by any party. This allows to detect mis­issued certificates quickly and catch the misbehaving certificate authorities. CT makes the certificate ecosystem more transparent and less reliant on trust that trusted certificate authorities (CA) do not issue rogue certificates. Events such as the compromise of the CA DigiNotar in 2011 could be easily and quickly detected with CT. CT makes use of CT logs, where issued certificates from trusted CA are stored. CT logs are append­only ledger that can be accessed by anyone. The entire issue with trust and misissuance seems to be solved by this new technology, CT. But are there any downsides to this solution? Albeit, it helps to detect misissuance quickly, but at the same time introduces an additional source to exploit. CT logs are public ledgers of issued certificates. They can be used to discover new domain names, or to look up what domains exist. Given a domain, an attacker could harness the power of CT logs to look up all the subdomains. CT logs expose every domain, even internal ones that need a certificate but do not want to be known to the public. Furthermore, domains can be easily found without the need to guess domain names or exploiting other resources such as DNS, allowing attackers to generate lists of potential targets easily. In this paper, we analyze the security impact of CT on scanning traffic for domains hosted in IPv4 and IPv6. The domains’ certificates are appended to CT logs, to leak the embedded domain name, which is acting as a honeytoken, a lure. We conduct passive measurements on the domain hosts, the hosting webserver and the authoritative DNS server, perform data analysis on the measurements and evaluate the security impact of the certificate request.