TY - GEN
T1 - The rise of certificate transparency and its implications on the internet ecosystem
AU - Scheitle, Quirin
AU - Gasser, Oliver
AU - Nolte, Theodor
AU - Amann, Johanna
AU - Brent, Lexi
AU - Carle, Georg
AU - Holz, Ralph
AU - Schmidt, Thomas C.
AU - Wählisch, Matthias
N1 - Publisher Copyright:
© 2018 Copyright held by the owner/author(s). Publication rights licensed to ACM.
PY - 2018/10/31
Y1 - 2018/10/31
N2 - In this paper, we analyze the evolution of Certificate Transparency (CT) over time and explore the implications of exposing certificate DNS names from the perspective of security and privacy. We find that certificates in CT logs have seen exponential growth. Website support for CT has also constantly increased, with now 33% of established connections supporting CT. With the increasing deployment of CT, there are also concerns of information leakage due to all certificates being visible in CT logs. To understand this threat, we introduce a CT honeypot and show that data from CT logs is being used to identify targets for scanning campaigns only minutes after certificate issuance. We present and evaluate a methodology to learn and validate new subdomains from the vast number of domains extracted from CT logged certificates.
AB - In this paper, we analyze the evolution of Certificate Transparency (CT) over time and explore the implications of exposing certificate DNS names from the perspective of security and privacy. We find that certificates in CT logs have seen exponential growth. Website support for CT has also constantly increased, with now 33% of established connections supporting CT. With the increasing deployment of CT, there are also concerns of information leakage due to all certificates being visible in CT logs. To understand this threat, we introduce a CT honeypot and show that data from CT logs is being used to identify targets for scanning campaigns only minutes after certificate issuance. We present and evaluate a methodology to learn and validate new subdomains from the vast number of domains extracted from CT logged certificates.
KW - Certificate Transparency
KW - Honeypot
KW - Phishing
UR - http://www.scopus.com/inward/record.url?scp=85058186131&partnerID=8YFLogxK
U2 - 10.1145/3278532.3278562
DO - 10.1145/3278532.3278562
M3 - Conference contribution
AN - SCOPUS:85058186131
T3 - Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC
SP - 343
EP - 349
BT - IMC 2018 - Proceedings of the Internet Measurement Conference
PB - Association for Computing Machinery
T2 - 2018 Internet Measurement Conference, IMC 2018
Y2 - 31 October 2018 through 2 November 2018
ER -