Abusing Certificate Transparency
Or how to hack Web Applications before Installation
Can we trust Certificate Authorities?
CAs are bad, we need to get rid of them
Popular Infosec opinion
Nobody has a feasible plan how to replace CAs
HTTP Public Key Pinning (HPKP)
Certificate Authority Authorization (CAA)
Merkle Hash Trees, Signed Certificate Timestamps (SCT), Signed Tree Head (STH), Precertificates,
Monitors, Gossip, ...
Next year (April) logging will be required for all certificates
The CA watchdog
Everyone can check logs for suspicious activity
Certificate Transparency is also a data source
Let's talk about something else
Old: Google dorking web installers
There is a time window between uploading files and completing the installer
Remember: We have a feed of newly created host names
Monitor CT logs, extract host names
Check hosts for common installers
If installer found: Install the application
Upload a plugin with code execution backdoor
Use external database host
Logged certificates aren't immediately public (around 30 minutes)
Instead of checking sites once one could check them multiple times
5000 Wordpress installations within three months.
500 x Joomla, 120 x Nextcloud, 70 x Owncloud.
Installers need authentication
Application programmers want easy installations
Webapp creates token file, user has to read token
Drupal, Typo3, Owncloud
... no reaction
Wordpress, Nextcloud, Serendipity participated in cross-vendor discussion, but no action
It still allows to create an SQLite database
Can this be exploited?
This was my idea, but I don't like it
Defending as a user is hard
We need fixes from vendors
Do attackers already use this?
x.x.x.x - - [09/Jul/2017:12:03:03 +0200] "GET / HTTP/1.0" 403 1664 "-" "Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; +email@example.com)"
Unauthenticated installers are a security risk
No more secret hostnames
Certificate Transparency is a valuable data source for attackers and defenders