Skip to main content
SpringerLink
Log in
Book cover

International Conference on Applied Cryptography and Network Security

ACNS 2020: Applied Cryptography and Network Security Workshops pp 453–470Cite as

Exploring the Security of Certificate Transparency in the Wild

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12418)

Abstract

Certificate Transparency (CT) is proposed to detect fraudulent certificates and improve the accountability of CAs. CT as an open auditing and monitoring system is based on the idea that all CA-issued certificates are logged in a publicly accessible log server, and that CT-compliant browsers only accept publicly recorded certificates. The purpose of CT is to make all TLS server certificates issued by the CA publicly visible; once a fraudulent certificate is publicly published, it can be discovered by the domain name owner. In practice, the CT can achieve its intended purpose only when the three components (i.e., log server, monitor, and auditor) of the CT cooperate and work correctly and effectively. Compared with traditional PKI systems, the CT framework does not rely on a single trusted party, but as a distributed system that distributes trust guarantees to many CAs, log servers, auditors, and monitors. In this paper, we study the interaction among log servers, monitors, auditors, CAs, domain owners (or websites), browsers, and other components in practice, and then analyze the security impact of each component on the CT. We explore the security of CT framework in practice from multiple perspectives, and find that each component has many security vulnerabilities. Thus, the attackers might first exploit the vulnerability to disable the CT and then launch an attack using fraudulent certificates. The overall security guarantees of CT are jeopardized due to the weak protections of any components.

Keywords

  • Certificate Transparency (CT)
  • Fraudulent certificate
  • Trust management

This work was partially supported by National Natural Science Foundation of China (No. 62002011), Open Project of the State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences (No. 2020-ZD-05, No. 2020-MS-08), NSF CNS-1422206, DGE-1565570, NSA Science of Security Initiative H98230-18-D-0009, and the Ripple University Blockchain Research Initiative.

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Aertsen, M., Korczynski, M., Moura, G., et al.: No domain left behind: is let’s encrypt democratizing encryption? In: 2nd ANRW (2017)

    Google Scholar 

  2. Amann, J., Gasser, O., Scheitle, Q., et al.: Mission accomplished? HTTPS security after DigiNotar. In: 17th IMC (2017)

    Google Scholar 

  3. Apple Inc: Certificate transparency in Apple (2018). https://support.apple.com/en-us/HT205280

  4. CA/Browser Forum: Baseline requirements for the issuance and management of publicly-trusted certificates, version 1.6.1 (2018). https://cabforum.org/baseline-requirements-documents/

  5. Chuat, L., Szalachowski, P., Perrig, A., et al.: Efficient gossip protocols for verifying the consistency of certificate logs. In: 3rd IEEE CNS (2015)

    Google Scholar 

  6. Cloudflare Inc: Explore the certificate transparency ecosystem (2018). https://ct.cloudflare.com/

  7. Comodo Group Inc: Comodo report of incident (2011). https://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html

  8. Cooper, D., Santesson, S., et al.: IETF RFC 5280 - Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile (2008)

    Google Scholar 

  9. Cui, M., Cao, Z., Xiong, G.: How is the forged certificates in the wild: practice on large-scale SSL usage measurement and analysis. In: Shi, Y., et al. (eds.) ICCS 2018. LNCS, vol. 10862, pp. 654–667. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93713-7_62

    CrossRef  Google Scholar 

  10. Dahlberg, R., Pulls, T.: Verifiable light-weight monitoring for certificate transparency logs. In: Gruschka, N. (ed.) NordSec 2018. LNCS, vol. 11252, pp. 171–183. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03638-6_11

    CrossRef  Google Scholar 

  11. Dowling, B., Günther, F., Herath, U., Stebila, D.: Secure logging schemes and certificate transparency. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9879, pp. 140–158. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45741-3_8

    CrossRef  Google Scholar 

  12. Eckersley, P.: A Syrian man-in-the-middle attack against Facebook (2011). https://www.eff.org/deeplinks/2011/05/syrian-man-middle-against-facebook

  13. Edgecombe, G.: Certificate transparency monitor (2018). https://ct.grahamedgecombe.com/

  14. Eskandarian, S., Messeri, E., Bonneau, J., et al.: Certificate transparency with privacy. In: 17th PETS (2017)

    Google Scholar 

  15. Gasser, O., Hof, B., Helm, M., Korczynski, M., Holz, R., Carle, G.: In log we trust: revealing poor security practices with certificate transparency logs and internet measurements. In: Beverly, R., Smaragdakis, G., Feldmann, A. (eds.) PAM 2018. LNCS, vol. 10771, pp. 173–185. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76481-8_13

    CrossRef  Google Scholar 

  16. Google Inc: Certificate transparency over DNS (2016). https://github.com/google/certificate-transparency-rfcs/blob/master/dns/draft-ct-over-dns.md

  17. Google Inc: Certificate transparency (2018). http://www.certificate-transparency.org/

  18. Google Inc: Known logs (2018). http://www.certificate-transparency.org/known-logs

  19. Google Inc: Certificate transparency enforcement in google chrome (2020). https://groups.google.com/a/chromium.org/forum/#!msg/ct-policy/wHILiYf31DE/iMFmpMEkAQAJ

  20. Google Inc: Changing the roots of the non-temporally-sharded Google Logs (2020). https://groups.google.com/a/chromium.org/g/ct-policy/c/iOg8Jqc0XxU?pli=1

  21. Google Inc: Chromium certificate transparency policy (2020). https://github.com/chromium/ct-policy

  22. Google Inc: Continued Operation of Logs with Planned Turn Down Dates (2020). https://groups.google.com/a/chromium.org/g/ct-policy/c/i1NFmE7txNE?pli=1

  23. Gustafsson, J., Overier, G., Arlitt, M., Carlsson, N.: A first look at the CT landscape: certificate transparency logs in practice. In: Kaafar, M.A., Uhlig, S., Amann, J. (eds.) PAM 2017. LNCS, vol. 10176, pp. 87–99. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-54328-4_7

    CrossRef  Google Scholar 

  24. Heather Adkins: An update on attempted man-in-the-middle attacks (2011). https://security.googleblog.com/2011/08/update-on-attempted-man-in-middle.html

  25. Kent, S.: IETF Draft - Attack and Threat Model for Certificate Transparency (2018)

    Google Scholar 

  26. Laurie, B., Langley, A., et al.: IETF RFC 6962 - Certificate transparency (2013)

    Google Scholar 

  27. Li, B., Chu, D., Lin, J., et al.: The weakest link of certificate transparency: exploring the TLS/HTTPS configurations of third-party monitors. In: 18th IEEE TrustCom (2019)

    Google Scholar 

  28. Li, B., Lin, J., Li, F., et al.: Certificate transparency in the wild: exploring the reliability of monitors. In: 26th AMC CCS (2019)

    Google Scholar 

  29. Liu, Y., Tome, W., Zhang, L.: An end-to-end measurement of certificate revocation in the web’s PKI. In: 15th IMC (2015)

    Google Scholar 

  30. Matsumoto, S., Szalachowski, P., Perrig, A.: Deployment challenges in log-based PKI enhancements. In: 8th EuroSec (2015)

    Google Scholar 

  31. Microsoft Inc: Certificate transparency in Microsoft (2018). https://blogs.msdn.microsoft.com/azuresecurity/2018/04/25/certificate-transparency/

  32. Morton, B.: More Google fraudulent certificates (2014). https://www.entrust.com/google-fraudulent-certificates/

  33. Mozilla: Certificate transparency in Mozilla (2018). https://wiki.mozilla.org/PKI:CT

  34. Nginx: Certificate transparency in Nginx (2018). http://www.certificate-transparency.org/resources-for-site-owners/nginx

  35. Nykvist, C., Sjöström, L., Gustafsson, J., Carlsson, N.: Server-side adoption of certificate transparency. In: Beverly, R., Smaragdakis, G., Feldmann, A. (eds.) PAM 2018. LNCS, vol. 10771, pp. 186–199. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76481-8_14

    CrossRef  Google Scholar 

  36. OpenSSL: Certificate transparency in OpenSSL (2018). https://www.openssl.org/docs/man1.1.0/crypto/ct.html

  37. Opsmate Inc: How Cert Spotter Parses 255 Million Certificates (2020). https://sslmate.com/blog/post/how_certspotter_parses_255_million_certificates

  38. Scheitle, Q., Gasser, O., Nolte, T., et al.: The rise of certificate transparency and its implications on the Internet ecosystem. In: 18th IMC (2018)

    Google Scholar 

  39. Stark, E., Sleevi, R., Muminovic, R., et al.: Does certificate transparency break the web? Measuring adoption and error rate. In: 40th IEEE S&P (2019)

    Google Scholar 

  40. Tomescu, A., Bhupatiraju, V., Papadopoulos, D., et al.: Transparency logs via append-only authenticated dictionaries. In: 26th ACM CCS (2019)

    Google Scholar 

  41. University of Michigan: Censys (2018). https://censys.io/

  42. VanderSloot, B., Amann, J., et al.: Towards a complete view of the certificate ecosystem. In: 16th IMC (2016)

    Google Scholar 

  43. Wikipedia: Flame (malware) (2017). https://en.wikipedia.org/wiki/Flame_(malware)

  44. Wilson, K.: Distrusting new CNNIC certificates (2015). https://blog.mozilla.org/security/2015/04/02/distrusting-new-cnnic-certificates/

Download references

Author information

Authors and Affiliations

  1. School of Cyber Science and Technology, Beihang University, Beijing, 100191, China

    Bingyu Li & Qianhong Wu

  2. Department of Electrical Engineering and Computer Science, The University of Kansas, Lawrence, USA

    Fengjun Li

  3. School of Information Engineering, Ningxia University, Yinchuan, China

    Ziqiang Ma

  4. State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, 100093, China

    Bingyu Li & Ziqiang Ma

  5. Hangzhou Innovation Institute, Beihang University, Hangzhou, China

    Qianhong Wu

Authors
  1. Bingyu Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Fengjun Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ziqiang Ma
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Qianhong Wu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Bingyu Li .

Editor information

Editors and Affiliations

  1. Singapore University of Technology and Design, Singapore, Singapore

    Prof. Jianying Zhou

  2. University of Padua, Padua, Italy

    Prof. Mauro Conti

  3. Singapore University of Technology and Design, Singapore, Singapore

    Chuadhry Mujeeb Ahmed

  4. The University of Hong Kong, Hong Kong, Hong Kong

    Man Ho Au

  5. ICIS, Radboud University Nijmegen, Nijmegen, The Netherlands

    Prof. Dr. Lejla Batina

  6. University of California, Irvine, CA, USA

    Zhou Li

  7. University of Science and Technology of China, Hefei, China

    Jingqiang Lin

  8. University of Padua, Padua, Italy

    Eleonora Losiouk

  9. University of Kansas, Lawrence, KS, USA

    Bo Luo

  10. CIISE, Concordia University, Montréal, QC, Canada

    Suryadipta Majumdar

  11. Technical University of Denmark, Lyngby, Denmark

    Dr. Weizhi Meng

  12. AppGate Inc., Bogotá, Colombia

    Martín Ochoa

  13. Delft University of Technology, Delft, The Netherlands

    Stjepan Picek

  14. Stevens Institute of Technology, Hoboken, NJ, USA

    Georgios Portokalidis

  15. City University of Hong Kong, Hong Kong, China

    Cong Wang

  16. Chinese University of Hong Kong, Shatin, Hong Kong

    Kehuan Zhang

Rights and permissions

Reprints and Permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Li, B., Li, F., Ma, Z., Wu, Q. (2020). Exploring the Security of Certificate Transparency in the Wild. In: Zhou, J., et al. Applied Cryptography and Network Security Workshops. ACNS 2020. Lecture Notes in Computer Science(), vol 12418. Springer, Cham. https://doi.org/10.1007/978-3-030-61638-0_25

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-61638-0_25

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-61637-3

  • Online ISBN: 978-3-030-61638-0

  • eBook Packages: Computer ScienceComputer Science (R0)

search

Navigation