Search CT Logs for Misconfigured SSL Certificates - Hexafusion Blog | Hexafusion

Hexafusion Blog

Search CT Logs for Misconfigured SSL Certificates

Recent research revealed how enterprises can make mistakes while deploying security certificates and inadvertently expose company information to malicious actors– but this Tech Tip illustrates how to identify misconfigured certificates before they can cause any issues.

SSL/TLS certificates are issued by certificate authorities to authenticate and secure browser connections. Encryption ensures malicious actors are not able to steal, eavesdrop, or manipulate the online communications while in transit during those browser sessions.

In an analysis of over 900 million public SSL/TLS certificates and associated events, researchers from Detectify Labs discovered that many certificates were exposing information that attackers could use to map out the attack surface, or were misconfigured in ways attackers could take advantage. Domain owners need to continually monitor their SSL certificates for weaknesses or suspicious behavior before they are abused by attackers, says Fredrik Nordberg Almroth, co-founder and security researcher at Detectify.

Track Misconfigured Certs With CT

Certificate Transparency, an open framework for auditing certificates, is one way to find certificates that may be exposing too much information or have been misconfigured, Almroth says. Since CT logs are publicly available, public search tools – such as the web interface or -- can be used to query for certificates and the information they contain.

Tools such as and Censys let domain owners search for a given domain and collect various subdomains and email addresses that are associated with the domain, Almroth says. One way to identify old and insecurely signed certificates is to run search queries for weak hash algorithms on Censys.

A search for certificates that use the cryptographically broken but still widely used “MD5” algorithm Showing results for certifications using the SHA-1 algorithm.

"There are several ways an attacker could use public information about SSL/TLS certificates to map out a company's attack surface to understand where the weaknesses are,” Almroth wrote in a summary of the team’s research.

Certificates Expose Too Much Info

Detectify Labs researchers discovered that the “overwhelming majority of newly certified domains” had names descriptive enough to reveal potentially sensitive information. The names could help an attacker map out different systems and applications in the company’s environment or identify specific teams and projects to target in social engineering campaigns. If the domain name refers to a product still in development, that fact could tip off the existence of the product to competitors and allow them to potentially undermine the product before it comes to market.

Information about the certificates – such as its expiration data or the algorithm used to sign the certificates – could also create new entry points into the organization’s infrastructure, the researchers said in the Detectify report. For example, an attacker could create another certificate with the same signature and masquerade as the targeted service and intercept online communications.

Finally, about 13% of the data set analyzed by the researchers used wildcard certificates, which are susceptible to Application Layer Protocols Allowing Cross-Protocol Attack. ALPACA can be used to trick servers with unencrypted protocols to execute cross-site scripting attacks or to steal cookies and user data.

"SSL/TLS certificates make the internet a safer place, but many companies are unaware that their certificates can become a looking glass into the organization -- potentially leaking confidential information and creating new entry points for attackers," the researchers said.

Original author: Dark Reading Staff, Dark Reading
US Indicts Iranian Nationals for Cyber-Enabled Ele...
Cloud Security Startup Lacework Gets a Boost With ...


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Monday, 24 January 2022

Captcha Image

By accepting you will be accessing a service provided by a third-party external to

Customer Login

News & Updates

Contact us

Learn more about what Hexafusion can do for your business.

250 - 997 Seymour Street
Vancouver, British Columbia V6B 3M1