short-paper

Public Access

When Certificate Transparency Is Too Transparent: Analyzing Information Leakage in HTTPS Domain Names

Authors:

Richard Roberts,

Dave LevinAuthors Info & Claims

WPES'19: Proceedings of the 18th ACM Workshop on Privacy in the Electronic Society

Pages 87 - 92

https://doi.org/10.1145/3338498.3358655

Published: 11 November 2019 Publication History

Abstract

Certificate Transparency (CT) is a recent initiative to log all publicly available certificates, thereby adding an extra layer of accountability and auditability to certificate authorities. Unbeknownst to most users and website administrators, CT logs make all data in all certificates available publicly and permanently. Although certificates are ostensibly intended to be public (after all, their main purpose is to convey an entity's public key), administrators may inadvertently include information that can be mined by anyone. For instance, CT logs contain certificates for subdomains, which naturally facilitates subdomain enumeration. This paper asks: is there other, more sensitive information included in certificates?

We identify several types of user and enterprise information embedded within the domain names of certificates in CT logs. We provide queries for obtaining information such as users' names, usernames, and email addresses. We also find that CT logs can leak private enterprise information, such as business relationships, user growth measurements, and the existence of internal projects prior to their public announcements. We report initial results on how often and across how many domains information is leaked. Finally, we discuss areas of future work and potential countermeasures that administrators can take.

References

[1]

2018. The Spamhaus Project: The World's Most Abused TLDs.https://www.spamhaus.org/statistics/tlds/.

[2]

Pieter Agten, Wouter Joosen, Frank Piessens, and Nick Nikiforakis. 2015. Seven Months' Worth of Mistakes: A Longitudinal Study of Typosquatting Abuse. In Network and Distributed System Security Symposium (NDSS).

[3]

Alexa Top Sites API [n.d.]. Alexa Top Sites API.https://aws.amazon.com/alexa-top-sites/.

[4]

Bharath. 2017. Certificate Transparency Part 3 -- The dark side. Online: https://blog.appsecco.com/certificate-transparency-part-3-the-dark-side-9d401809b025.

[5]

Mark Burnett. 2015. Today I Am Releasing Ten Million Passwords. https://xato.net/today-i-am-releasing-ten-million-passwords-b6278bbe7495.

[6]

Frank Cangialosi, Taejoong Chung, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, and Christo Wilson. 2016. Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem. In ACM Conference on Computer and Communications Security (CCS).

[7]

Gurpreet Dhillon, Lemuria Carter, and Javad Abed. 2016. Defining Objectives for Securing the Internet of Things: A Value-Focused Thinking Approach.

[8]

Discovery's TV Everywhere "GO" Apps Now Available On Select Samsung SmartTVs 2018. Discovery's TV Everywhere "GO" Apps Now Available On SelectSamsung Smart TVs.https://corporate.discovery.com/discovery-newsroom/discoverys-tv-everywhere-go-apps-now-available-on-select-samsung-smart-tvs/.

[9]

Zakir Durumeric, David Adrian, Ariana Mirian, Michael Bailey, and J. Alex Halderman. 2015. A Search Engine Backed by Internet-Wide Scanning. In ACM Conference on Computer and Communications Security (CCS).

Digital Library

[10]

Saba Eskandarian, Eran Messeri, Joseph Bonneau, and Dan Boneh. 2017. Certificate transparency with privacy. Proceedings on Privacy Enhancing Technologies, Vol. 2017, 4 (2017), 329--344.

[11]

Federal Trade Commission. [n.d.]. Multilevel Marketing. Online: https://www.ftc.gov/tips-advice/business-center/guidance/multilevel-marketing.

[12]

Oliver Gasser, Benjamin Hof, Max Helm, Maciej Korczynski, Ralph Holz, and Georg Carle. 2018. In Log We Trust: Revealing Poor Security Practices with Certificate Transparency Logs and Internet Measurements. In Passive and Active Network Measurement Workshop (PAM).

[13]

Google Safe Browsing [n.d.]. Google Safe Browsing.https://safebrowsing.google.com.

[14]

Grant Ho, Aashish Sharma, Mobin Javed, Vern Paxson, and David Wagner. 2017. Detecting Credential Spearphishing Attacks in Enterprise Settings. In USENIX Security Symposium.

[15]

IBM. [n.d.]. IBM Compose. Online: https://www.ibm.com/cloud/compose.

[16]

Panagiotis Kintis, Najmeh Miramirkhani, Charles Lever, Yizheng Chen, Roza Romero-Gómez, Nikolaos Pitropakis, Nick Nikiforakis, and Manos Antonakakis. 2017. Hiding in Plain Sight: A Longitudinal Study of Combosquatting Abuse. In ACM Conference on Computer and Communications Security (CCS).

[17]

James Larisch, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, and Christo Wilson. 2017. CRLite: A Scalable System for Pushing All TLS Revocations to All Browsers. In IEEE Symposium on Security and Privacy.

[18]

Ben Laurie, Adam Langley, and Emilia Kasper. 2013. Certificate Transparency. RFC 6962. https://www.ietf.org/rfc/rfc6962.txt

[19]

Mark Kantrowitz. [n.d.] a. List of Common Female Names. Online: https://www.cs.cmu.edu/afs/cs/project/ai-repository/ai/areas/nlp/corpora/names/female.txt.

[20]

Mark Kantrowitz. [n.d.] b. List of Common Male Names. Online: http://www.cs.cmu.edu/afs/cs/project/ai-repository/ai/areas/nlp/corpora/names/male.txt.

[21]

Microsoft. [n.d.] a. Microsoft Cloud App Security overview. Online: https://docs.microsoft.com/en-us/cloud-app-security/what-is-cloud-app-security.

[22]

Microsoft. [n.d.] b. Protect apps with Microsoft Cloud App Security Conditional Access App Control. Online: https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad.

[23]

Kevin Mitnick and William L. Simon. 2002. The Art of Deception. Wiley Publishing Inc.

[24]

Mozilla CT Policy 2014. PKI:CT. Mozilla Wiki.https://wiki.mozilla.org/PKI:CThttps://wiki.mozilla.org/PKI:CT.

[25]

Quirin Scheitle, Oliver Gasser, Theodor Nolte, Johanna Amann, Lexi Brent, Georg Carle, Ralph Holz, Thomas C. Schmidt, and Matthias Wählisch. 2018. The Rise of Certificate Transparency and Its Implications on the Internet Ecosystem. In ACM Internet Measurement Conference (IMC).

[26]

Ryan Sleevi. 2016. Announcement: Requiring Certificate Transparency in 2017. Certificate Transparency Policy. https://groups.google.com/a/chromium.org/forum/topic/ct-policy/78N3SMcqUGw.

[27]

United States Census Bureau. [n.d.]. Decennial Census Surname Files. Online: https://www.census.gov/data/developers/data-sets/surnames.html.

[28]

Benjamin VanderSloot, Johanna Amann, Matthew Bernhard, Zakir Durumeric, Michael Bailey, and J. Alex Halderman. 2016. Towards a Complete View of the Certificate Ecosystem. In ACM Internet Measurement Conference (IMC).

Cited By

Sosnowski MSattler PZirngibl JBetzer TCarle G(2024)Propagating Threat Scores with a TLS Ecosystem Graph Model Derived by Active Measurements2024 8th Network Traffic Measurement and Analysis Conference (TMA)10.23919/TMA62044.2024.10559063(1-11)Online publication date: 21-May-2024
https://doi.org/10.23919/TMA62044.2024.10559063
Zhang CAn CYu TZheng ZWang J(2024)Investigate and Improve the Certificate Revocation in Web PKINOMS 2024-2024 IEEE Network Operations and Management Symposium10.1109/NOMS59830.2024.10575605(1-5)Online publication date: 6-May-2024
https://doi.org/10.1109/NOMS59830.2024.10575605
Kumagai KKakei SShiraishi YSaito S(2023)Distributed Public Key Certificate-Issuing Infrastructure for Consortium Certificate Authority Using Distributed Ledger TechnologySecurity and Communication Networks10.1155/2023/95594392023Online publication date: 1-Jan-2023
https://dl.acm.org/doi/10.1155/2023/9559439
Show More Cited By

Index Terms

When Certificate Transparency Is Too Transparent: Analyzing Information Leakage in HTTPS Domain Names
1. Security and privacy

Recommendations

Certificate Transparency in the Wild: Exploring the Reliability of Monitors
CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

To detect fraudulent TLS server certificates and improve the accountability of certification authorities (CAs), certificate transparency (CT) is proposed to record certificates in publicly-visible logs, from which the monitors fetch all certificates and ...
The Rise of Certificate Transparency and Its Implications on the Internet Ecosystem
IMC '18: Proceedings of the Internet Measurement Conference 2018

In this paper, we analyze the evolution of Certificate Transparency (CT) over time and explore the implications of exposing certificate DNS names from the perspective of security and privacy. We find that certificates in CT logs have seen exponential ...
PoliCT: Flexible Policy in Certificate Transparency Enabling Lightweight Self-monitor
Applied Cryptography and Network Security Workshops
Abstract
Certificate Transparency (CT) is proposed to detect maliciously or mistakenly issued certificates by recording all certificates in publicly-visible logs. CT assumes that any individual can undertake the role of a CT monitor which fetches all the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WPES'19: Proceedings of the 18th ACM Workshop on Privacy in the Electronic Society

November 2019

228 pages

ISBN:9781450368308

DOI:10.1145/3338498

General Chairs:
Lorenzo Cavallaro
King's College London, United Kingdom
,
Johannes Kinder
Bundeswehr University Munich, Germany
,
Program Chair:
Josep Domingo-Ferrer
Universitat Rovira i Virgili, Catalonia

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 November 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Funding Sources

NSF

Conference

CCS '19

Sponsor:

SIGSAC

CCS '19: 2019 ACM SIGSAC Conference on Computer and Communications Security

November 11, 2019

London, United Kingdom

Acceptance Rates

Overall Acceptance Rate 106 of 355 submissions, 30%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
738
Total Downloads

Downloads (Last 12 months)143
Downloads (Last 6 weeks)31

Reflects downloads up to 03 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Sosnowski MSattler PZirngibl JBetzer TCarle G(2024)Propagating Threat Scores with a TLS Ecosystem Graph Model Derived by Active Measurements2024 8th Network Traffic Measurement and Analysis Conference (TMA)10.23919/TMA62044.2024.10559063(1-11)Online publication date: 21-May-2024
https://doi.org/10.23919/TMA62044.2024.10559063
Zhang CAn CYu TZheng ZWang J(2024)Investigate and Improve the Certificate Revocation in Web PKINOMS 2024-2024 IEEE Network Operations and Management Symposium10.1109/NOMS59830.2024.10575605(1-5)Online publication date: 6-May-2024
https://doi.org/10.1109/NOMS59830.2024.10575605
Kumagai KKakei SShiraishi YSaito S(2023)Distributed Public Key Certificate-Issuing Infrastructure for Consortium Certificate Authority Using Distributed Ledger TechnologySecurity and Communication Networks10.1155/2023/95594392023Online publication date: 1-Jan-2023
https://dl.acm.org/doi/10.1155/2023/9559439
Sun ALi BWang QWan HLin JWang W(2023)Semi-CT: Certificates Transparent to Identity Owners but Opaque to Snoopers2023 IEEE Symposium on Computers and Communications (ISCC)10.1109/ISCC58397.2023.10217862(1207-1213)Online publication date: 9-Jul-2023
https://doi.org/10.1109/ISCC58397.2023.10217862
Jaison FChaudhary CR M(2023)Blockchain and Edge Computing for IoT Advancements2023 IEEE International Conference on ICT in Business Industry & Government (ICTBIG)10.1109/ICTBIG59752.2023.10456203(1-6)Online publication date: 8-Dec-2023
https://doi.org/10.1109/ICTBIG59752.2023.10456203
Pletinckx SNguyen TFiebig TKruegel CVigna G(2023)Certifiably Vulnerable: Using Certificate Transparency Logs for Target Reconnaissance2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP57164.2023.00053(817-831)Online publication date: Jul-2023
https://doi.org/10.1109/EuroSP57164.2023.00053
Li BLin JLi FWang QWang WLi QCheng GJing JWang C(2022)The Invisible Side of Certificate Transparency: Exploring the Reliability of Monitors in the WildIEEE/ACM Transactions on Networking10.1109/TNET.2021.312350730:2(749-765)Online publication date: Apr-2022
https://doi.org/10.1109/TNET.2021.3123507
Lee HKim DKwon Y(2021)TLS 1.3 in Practice:How TLS 1.3 Contributes to the InternetProceedings of the Web Conference 202110.1145/3442381.3450057(70-79)Online publication date: 19-Apr-2021
https://dl.acm.org/doi/10.1145/3442381.3450057
Sun ALi BWan HWang Q(2021)PoliCT: Flexible Policy in Certificate Transparency Enabling Lightweight Self-monitorApplied Cryptography and Network Security Workshops10.1007/978-3-030-81645-2_21(358-377)Online publication date: 22-Jul-2021
https://doi.org/10.1007/978-3-030-81645-2_21
Jaspher Kathrine G(2020)COMPARATIVE ANALYSIS OF SUBDOMAIN ENUMERATION TOOLS AND STATIC CODE ANALYSISJOURNAL OF MECHANICS OF CONTINUA AND MATHEMATICAL SCIENCES10.26782/jmcms.2020.06.0001315:6Online publication date: 24-Jun-2020
https://doi.org/10.26782/jmcms.2020.06.00013

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten