CERTIFICATE TRANSPARENCY when a new standard can improve your threat monitoring Christophe Brocas Thomas Damonneville Caisse Nationale d’Assurance Maladie – Security team
A Google initiative launched in 2013 (RFC 6962) then IETF Public CA have to submit all certifcates they signed to publicly auditable, append-only, cryptographically signed logs Beneft : capacity for all to see all public signed certifcates Timeline : EV → certifcates: 2015 all certifcates : → April 30, 2018 A full page warning in Chrome 68 : → July 24, 2018 THE ANSWER
Site web Autorité de certifcation Journaux Moniteurs Navigateur 1 Site web 2 Certifcate request Pre-certifcate logging Site web CA Logs Monitors Browser Web site
Site web Autorité de certifcation Journaux Moniteurs Navigateur 1 Site web 2 3 Certifcate request Pre-certifcate logging SCT (*) providing (*) Signed Certifcate Timestamp Site web CA Logs Monitors Browser Web site
Site web Autorité de certifcation Journaux Moniteurs Navigateur 1 Site web 2 3 4 Certifcate request Pre-certifcate logging SCT (*) providing Providing of certifcate+SCT (*) Signed Certifcate Timestamp Site web CA Logs Monitors Browser Web site
Site web Autorité de certifcation Journaux Moniteurs Navigateur 1 Site web 2 3 4 5 Certifcate request Pre-certifcate logging SCT (*) providing Providing of certifcate+SCT TLS request (*) Signed Certifcate Timestamp 5 Site web CA Logs Monitors Browser Web site
Site web Autorité de certifcation Journaux Moniteurs Navigateur 1 Site web 2 3 4 5 Certifcate request Pre-certifcate logging SCT (*) providing Providing of certifcate+SCT TLS request (*) Signed Certifcate Timestamp 5 6 TLS answer with cert + SCT Site web CA Logs Monitors Browser Web site
Chrome 68 requires CT for all certifcates signed after 30 April 2018. Site web Autorité de certifcation Journaux Moniteurs Navigateur 1 Site web 2 3 4 5 Certifcate request Pre-certifcate logging SCT (*) providing Providing of certifcate+SCT TLS request (*) Signed Certifcate Timestamp 5 6 TLS answer with cert + SCT Site web CA Logs Monitors Browser Web site
Looking for certifcates for our domain names Chrome 68 requires CT for all certifcates signed after April 30, 2018. Site web Autorité de certifcation Journaux Moniteurs Navigateur 1 Site web 2 3 4 5 Certifcate request Pre-certifcate logging SCT (*) providing Providing of certifcate+SCT TLS request (*) Signed Certifcate Timestamp 5 6 TLS answer with cert + SCT Site web CA Logs Monitors Browser Web site
Results Example #1 : our customers abuse cpam-{78,75,13,...}.fr service trying to → abuse our customers (surcharged telephone numbers, data theft) → service taked down
Limits ● TLS, not HTTP - we only detect hostnames for whom a certifcate has been signed ● RegExp – if the hostname does not have our searched keywords no detection. And → wildcards beat us too. ● Trust – the amount of distributed data led us to use an online service (CertStream). May we trust it ?
low cost Tools and services are there, just have to use them. efciency informed before the attack comes online blind have a vision at Internet scale Conclusion
cbrocas
microcms
devops_vtj
x_ttyszk
victorrentea
isaoshimizu
alexanderbyndyu
satoshirobatofujimoto
nsakki55
hayaosuzuki
goyoki
hiroshinakagawa
hiboma
gr2m
marcduiker
denniskardys
sstephenson
kastner
iamctodd
quramy
jennybc
philhawksworth
jlugia
chriscoyier
edds