Insecure Design Demo

Demoing SSL certificates outliving their domain ownership

This is the demo site for BygoneSSL. It outlines what can happen when a SSL certificate can outlive one of its domains' ownerships into the next.

BygoneSSL
Why is this a problem?

Well, aside from the fact that the previous domain owner could Man-in-the-Middle the new domain owner's SSL traffic for that domain, if there are any domains that share alt-names with the domain, they can be revoked, potentially causing a Denial-of-Service if they are still in use.

BygoneSSL

noun

A SSL certificate created before and supersedes its domains’ current registration date.

BygoneSSL Man in the Middle

If a company acquires a previously owned domain, the previous owner could still have a valid certificate, which could allow them to MitM the SSL connection with their prior certificate.

BygoneSSL Denial of Service

If a certificate has a subject alt-name for a domain no longer owned by the certificate user. It is possible to revoke the certificate that has both the vulnerable alt-name and other domains. You can DoS the service if the shared certificate is still in use!

Revoking

The CA/Browser Forum, which sets the rules by which Certificate Authorities and Browser should operate, states that if any information in a certificate becomes incorrect or inaccurate it should be revoked. Additionally if the domain registrant has failed to renew their domain, the CA should revoke the certificate within 24 hours.

insecure.design Timeline

February 16, 2018

insecure.design domain registered

February 16, 2018

3 year SSL Certificate issued by CA

April 18, 2018

insecure.design domain transfered

April 18, 2018

Initial domain owner's certificate still valid for this site

June 22, 2018

Original domain owner revokes certificate

Certificate Screenshot
Demo Certificate

Screenshot of current SSL Certificate for insecure.design in Chrome on April 30, 2018

Certificate Transparency Details

WHOIS

WHOIS data before and after the transfer

February 16, 2018
$ whois insecure.design
Domain Name: INSECURE.DESIGN
Registry Domain ID: D61192062-CNIC
Registrar WHOIS Server: whois.namecheap.com
Registrar URL:
Updated Date: 2018-02-19T19:29:59.0Z
Creation Date: 2018-02-16T23:21:20.0Z
Registry Expiry Date: 2019-02-16T23:59:59.0Z
Registrar: Namecheap
Registrar IANA ID: 1068
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: addPeriod https://icann.org/epp#addPeriod
Registry Registrant ID: C178987232-CNIC
Registrant Name: Dylan Ayrey
Registrant Organization: **********
Registrant Street: **********
Registrant City: **********
Registrant State/Province: **
Registrant Postal Code: *****
Registrant Country: US
Registrant Phone: **********
Registrant Fax:
Registrant Email: **********
Registry Admin ID: C178987237-CNIC
Admin Name: Dylan Ayrey
Admin Organization: **********
Admin Street: **********
Admin City: **********
Admin State/Province: **
Admin Postal Code: *****
Admin Country: US
Admin Phone: **********
Admin Fax:
Admin Email: **********
Registry Tech ID: C178987242-CNIC
Tech Name: Dylan Ayrey
Tech Organization: **********
Tech Street: **********
Tech City: **********
Tech State/Province: **
Tech Postal Code: ****
Tech Country: US
Tech Phone: **********
Tech Fax:
Tech Email: **********
Name Server: DNS1.REGISTRAR-SERVERS.COM
Name Server: DNS2.REGISTRAR-SERVERS.COM
DNSSEC: unsigned
Registry Billing ID: C178987247-CNIC
Billing Name: Dylan Ayrey
Billing Organization: **********
Billing Street: **********
Billing City: **********
Billing State/Province: **
Billing Postal Code: *****
Billing Country: US
Billing Phone: **********
Billing Fax:
Billing Email: **********
Registrar Abuse Contact Email: abuse@namecheap.com
Registrar Abuse Contact Phone: +1.6613102107
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2018-02-20T06:35:47.0Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

This whois service is provided by CentralNic Ltd and only contains
information pertaining to Internet domain names registered by our
our customers. By using this service you are agreeing (1) not to use any
information presented here for any purpose other than determining
ownership of domain names, (2) not to store or reproduce this data in
any way, (3) not to use any high-volume, automated, electronic processes
to obtain data from this service. Abuse of this service is monitored and
actions in contravention of these terms will result in being permanently
blacklisted. All data is (c) CentralNic Ltd https://www.centralnic.com/

Access to the whois service is rate limited. For more information, please
see https://registrar-console.centralnic.com/pub/whois_guidance.
April 30, 2018
$ whois insecure.design
Domain Name: INSECURE.DESIGN
Registry Domain ID: D61192062-CNIC
Registrar WHOIS Server: whois.101domain.com
Registrar URL: https://101domain.com/
Updated Date: 2018-05-01T03:36:53.0Z
Creation Date: 2018-02-16T23:21:20.0Z
Registry Expiry Date: 2022-02-16T23:59:59.0Z
Registrar: 101domain GRS Limited
Registrar IANA ID: 1011
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: C179781872-CNIC
Registrant Name: Domain Admin
Registrant Organization: Domain Admin
Registrant Street: **********
Registrant City: **********
Registrant State/Province: **
Registrant Postal Code: *****
Registrant Country: US
Registrant Phone: **********
Registrant Fax:
Registrant Email: **********
Registry Admin ID: C179781872-CNIC
Admin Name: Domain Admin
Admin Organization: Domain Admin
Admin Street: **********
Admin City: **********
Admin State/Province: **
Admin Postal Code: **********
Admin Country: US
Admin Phone: **********
Admin Fax:
Admin Email: **********
Registry Tech ID: C179781872-CNIC
Tech Name: Domain Admin
Tech Organization: Domain Admin
Tech Street: **********
Tech City: **********
Tech State/Province: **
Tech Postal Code: *****
Tech Country: US
Tech Phone: **********
Tech Fax:
Tech Email: **********
Name Server: DNS1.REGISTRAR-SERVERS.COM
Name Server: DNS2.REGISTRAR-SERVERS.COM
DNSSEC: unsigned
Registry Billing ID: C179781872-CNIC
Billing Name: Domain Admin
Billing Organization: Domain Admin
Billing Street: **********
Billing City: **********
Billing State/Province: **
Billing Postal Code: *****
Billing Country: US
Billing Phone: **********
Billing Fax:
Billing Email: **********
Registrar Abuse Contact Email: abuse@101domain.com
Registrar Abuse Contact Phone: +1.7604448674
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2018-05-01T03:37:47.0Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

This whois service is provided by CentralNic Ltd and only contains
information pertaining to Internet domain names registered by our
our customers. By using this service you are agreeing (1) not to use any
information presented here for any purpose other than determining
ownership of domain names, (2) not to store or reproduce this data in
any way, (3) not to use any high-volume, automated, electronic processes
to obtain data from this service. Abuse of this service is monitored and
actions in contravention of these terms will result in being permanently
blacklisted. All data is (c) CentralNic Ltd https://www.centralnic.com/

Access to the whois service is rate limited. For more information, please
see https://registrar-console.centralnic.com/pub/whois_guidance.

Tools

CertGraph

An open source intelligence tool to crawl the graph of certificate Alternate Names. Can be used to find DoS and MitM BygoneSSL. Use with the following flags:

certgraph -depth 1 -driver google -ct-subdomains -cdn [DOMAIN]...

https://github.com/lanrat/certgraph

CertGraph Visualization UI

CertGraph

BygoneSSL Facebook Search Tool

Searches Facebook's Certificate Transparency API to find certificates that are Bygone. Requires Facebook OAuth. Helps find DoS and MitM

https://github.com/dxa4481/bygonessl

Search Facebook for BygoneSSL

CertSpotter

Updated SSLMate’s CertSpotter Log Monitor Tool. Added valid_at to the watch file to be notified of certificates that are Bygone.

https://github.com/lanrat/certspotter

Example Watchlist:

insecure.design valid_at:2018-04-18
defcon.org valid_at:1993-06-21
wikipedia.org valid_at:2001-01-13
toorcon.net valid_at:2012-03-13
CertSpotter with BygoneSSL

DEF CON Presentation

Impact