Demoing SSL certificates outliving their domain ownership
This is the demo site for BygoneSSL. It outlines what can happen when a SSL certificate can outlive one of its domains' ownerships into the next.
Well, aside from the fact that the previous domain owner could Man-in-the-Middle the new domain owner's SSL traffic for that domain, if there are any domains that share alt-names with the domain, they can be revoked, potentially causing a Denial-of-Service if they are still in use.
noun
A SSL certificate created before and supersedes its domains’ current registration date.
If a company acquires a previously owned domain, the previous owner could still have a valid certificate, which could allow them to MitM the SSL connection with their prior certificate.
If a certificate has a subject alt-name for a domain no longer owned by the certificate user. It is possible to revoke the certificate that has both the vulnerable alt-name and other domains. You can DoS the service if the shared certificate is still in use!
The CA/Browser Forum, which sets the rules by which Certificate Authorities and Browser should operate, states that if any information in a certificate becomes incorrect or inaccurate it should be revoked. Additionally if the domain registrant has failed to renew their domain, the CA should revoke the certificate within 24 hours.
insecure.design domain registered
3 year SSL Certificate issued by CA
insecure.design domain transfered
Initial domain owner's certificate still valid for this site
Original domain owner revokes certificate
Screenshot of current SSL Certificate for insecure.design in Chrome on April 30, 2018
WHOIS data before and after the transfer
$ whois insecure.design
Domain Name: INSECURE.DESIGN Registry Domain ID: D61192062-CNIC Registrar WHOIS Server: whois.namecheap.com Registrar URL: Updated Date: 2018-02-19T19:29:59.0Z Creation Date: 2018-02-16T23:21:20.0Z Registry Expiry Date: 2019-02-16T23:59:59.0Z Registrar: Namecheap Registrar IANA ID: 1068 Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited Domain Status: addPeriod https://icann.org/epp#addPeriod Registry Registrant ID: C178987232-CNIC Registrant Name: Dylan Ayrey Registrant Organization: ********** Registrant Street: ********** Registrant City: ********** Registrant State/Province: ** Registrant Postal Code: ***** Registrant Country: US Registrant Phone: ********** Registrant Fax: Registrant Email: ********** Registry Admin ID: C178987237-CNIC Admin Name: Dylan Ayrey Admin Organization: ********** Admin Street: ********** Admin City: ********** Admin State/Province: ** Admin Postal Code: ***** Admin Country: US Admin Phone: ********** Admin Fax: Admin Email: ********** Registry Tech ID: C178987242-CNIC Tech Name: Dylan Ayrey Tech Organization: ********** Tech Street: ********** Tech City: ********** Tech State/Province: ** Tech Postal Code: **** Tech Country: US Tech Phone: ********** Tech Fax: Tech Email: ********** Name Server: DNS1.REGISTRAR-SERVERS.COM Name Server: DNS2.REGISTRAR-SERVERS.COM DNSSEC: unsigned Registry Billing ID: C178987247-CNIC Billing Name: Dylan Ayrey Billing Organization: ********** Billing Street: ********** Billing City: ********** Billing State/Province: ** Billing Postal Code: ***** Billing Country: US Billing Phone: ********** Billing Fax: Billing Email: ********** Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.6613102107 URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2018-02-20T06:35:47.0Z <<< For more information on Whois status codes, please visit https://icann.org/epp This whois service is provided by CentralNic Ltd and only contains information pertaining to Internet domain names registered by our our customers. By using this service you are agreeing (1) not to use any information presented here for any purpose other than determining ownership of domain names, (2) not to store or reproduce this data in any way, (3) not to use any high-volume, automated, electronic processes to obtain data from this service. Abuse of this service is monitored and actions in contravention of these terms will result in being permanently blacklisted. All data is (c) CentralNic Ltd https://www.centralnic.com/ Access to the whois service is rate limited. For more information, please see https://registrar-console.centralnic.com/pub/whois_guidance.
$ whois insecure.design
Domain Name: INSECURE.DESIGN Registry Domain ID: D61192062-CNIC Registrar WHOIS Server: whois.101domain.com Registrar URL: https://101domain.com/ Updated Date: 2018-05-01T03:36:53.0Z Creation Date: 2018-02-16T23:21:20.0Z Registry Expiry Date: 2022-02-16T23:59:59.0Z Registrar: 101domain GRS Limited Registrar IANA ID: 1011 Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: C179781872-CNIC Registrant Name: Domain Admin Registrant Organization: Domain Admin Registrant Street: ********** Registrant City: ********** Registrant State/Province: ** Registrant Postal Code: ***** Registrant Country: US Registrant Phone: ********** Registrant Fax: Registrant Email: ********** Registry Admin ID: C179781872-CNIC Admin Name: Domain Admin Admin Organization: Domain Admin Admin Street: ********** Admin City: ********** Admin State/Province: ** Admin Postal Code: ********** Admin Country: US Admin Phone: ********** Admin Fax: Admin Email: ********** Registry Tech ID: C179781872-CNIC Tech Name: Domain Admin Tech Organization: Domain Admin Tech Street: ********** Tech City: ********** Tech State/Province: ** Tech Postal Code: ***** Tech Country: US Tech Phone: ********** Tech Fax: Tech Email: ********** Name Server: DNS1.REGISTRAR-SERVERS.COM Name Server: DNS2.REGISTRAR-SERVERS.COM DNSSEC: unsigned Registry Billing ID: C179781872-CNIC Billing Name: Domain Admin Billing Organization: Domain Admin Billing Street: ********** Billing City: ********** Billing State/Province: ** Billing Postal Code: ***** Billing Country: US Billing Phone: ********** Billing Fax: Billing Email: ********** Registrar Abuse Contact Email: abuse@101domain.com Registrar Abuse Contact Phone: +1.7604448674 URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2018-05-01T03:37:47.0Z <<< For more information on Whois status codes, please visit https://icann.org/epp This whois service is provided by CentralNic Ltd and only contains information pertaining to Internet domain names registered by our our customers. By using this service you are agreeing (1) not to use any information presented here for any purpose other than determining ownership of domain names, (2) not to store or reproduce this data in any way, (3) not to use any high-volume, automated, electronic processes to obtain data from this service. Abuse of this service is monitored and actions in contravention of these terms will result in being permanently blacklisted. All data is (c) CentralNic Ltd https://www.centralnic.com/ Access to the whois service is rate limited. For more information, please see https://registrar-console.centralnic.com/pub/whois_guidance.
An open source intelligence tool to crawl the graph of certificate Alternate Names. Can be used to find DoS and MitM BygoneSSL. Use with the following flags:
certgraph -depth 1 -driver google -ct-subdomains -cdn [DOMAIN]...
Searches Facebook's Certificate Transparency API to find certificates that are Bygone. Requires Facebook OAuth. Helps find DoS and MitM
Updated SSLMate’s CertSpotter Log Monitor Tool. Added valid_at
to the watch file to be notified of certificates that are Bygone.
https://github.com/lanrat/certspotter
Example Watchlist:
insecure.design valid_at:2018-04-18 defcon.org valid_at:1993-06-21 wikipedia.org valid_at:2001-01-13 toorcon.net valid_at:2012-03-13