What are SSL Certificates?
Secure Socket Layer (SSL) certificates, also known as Transport Layer Security (TLS) certificates or SSL/TLS certificates, are a form of digital signature issued to domain owners with the goal of verifying the ownership of that domain for the purposes of establishing secure connections between the user and the domain. Whenever an internet user visits a website with “https” in the URL, this indicates a valid SSL certificate is being used to establish a secure, encrypted connection between the user and the website.
In theory, SSL certificates should be highly difficult to forge, though this is not always the case, as we will see below. Therefore, it is not always enough to simply “trust” a website, even if your browser says that the site is safe. In addition, it is highly important to monitor new certificates in order to verify that no one else is using your organization’s name to sign their certificate, as that certificate may be involved in nefarious activity.
What Happens if SSL Certificates are Compromised?
In 2016, a criminal gang called Carbanak pulled off an unprecedented heist against a major Brazilian bank by forging the bank’s SSL certificates. This allowed the gang to direct all internet traffic across all of the bank’s domains to go to Carbanak’s custom built replica phishing sites, where they collected usernames and passwords of any user who attempted to log on over a span of five to six hours. It is also believed that the commandeering of these domains resulted in all ATM and credit card traffic also being routed to Carbanak’s phishing collectors.
Normally, when an attacker sets up a phishing site, he or she refrains from purchasing valid SSL certificates. In this case, however, Carbanak not only purchased certificates for each domain the bank owned but purchased them using a name similar enough to the bank that no alarm bells were triggered in users’ browsers’ security protocols.
Carbanak had purchased the certificates six months before the heist, prompting the certificate issuer to release a statement saying that there was no indication of fraud in the transaction, indicating that the group already had full control over the bank’s domains and DNS records by that time.
SSL Certificate Abuses
The Carbanak example above illustrates an extreme version of SSL certificate abuse. However, the past few years have seen multiple examples of certificate authorities (CA) issuing certificates with names of legitimate organizations to recipients who are not associated with those organizations.
For example, Google has stopped trusting Symantec-issued certificates in the wake of the issuance of several thousand certificates to domains not associated with the organization claimed in the certificate. Let’s Encrypt, a CA operated by the Linux Foundation, has also come under fire after issuing several thousand certificates with the term PayPal in them, despite the certificate holders not being associated with PayPal.
Although Google and other browsers have forced the CAs to adopt better issuance policies, the potential for mis-issuance of certificates remains relatively high. Thus, it is in the interest of any organization with a web presence to conduct an audit of its SSL certificates in order to verify that there are no certificates using that organization’s name floating around the internet.
Auditing and Investigating SSL Certificates
Let’s look at an example. Sticking with a banking theme, we can run a search for wellsfargo.com and see what sort of certificates are available:
The second search result above shows a certificate issued for a subdomain parked on the wellsfargo.com domain and issued to the Wells Fargo Public Trust Certification Authority. It is an Organization Validated TLS certificate owned by Wells Fargo and Company.
However, the organization of the first search result above is Wells Fargo NA, but the certificate common name (CN) belongs to the Balabat Certification Root Authority and is linked to a domain which has nothing in common with Wells Fargo.
In and of itself, this domain does not appear to be part of any sort of fraud campaign against Wells Fargo. However, the associated with the SSL certificate warrants a closer look into the domain and any possible connections it may have with Wells Fargo in order to verify that it is not a threat to the bank’s customers or operations.
Maintaining Compliance to Regulations with Certificate Audits
Commercial organizations that need to comply with the GDPR need to use HTTPS and valid certificates to authenticate and encrypt communications. While auditing digital footprint is essential in maintaining security resilience, continuous monitoring and situation awareness demonstrates personally identifiable information is being transferred properly to meet data protection requirements. If organizations are not required to comply with the GDPR, auditing SSL certificates is a best practice as part of an organization’s overall governance and digital footprint hygiene.
Government organizations such as US federal agencies have audit requirements that are directly related to auditing certificates. On January 22, 2019, the US Department of Homeland Security issued Emergency Directive 19-01 as a response of “a series of incidents involving [DNS] infrastructure tampering. The fourth action point of this directive commands that all government agencies “begin regular delivery of newly added certificates to [the] Certificate Transparency Logs (CT logs for agency domains”. While this directive is part of an overall, standard DNS audit function, using certificate discovery to assure DNS footprint and certificate footprint are in lockstep at all times is an important control that supports this effort. Secondly, auditing and monitoring certificate footprint is contributory to compliance with Special Publication 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations.
Learn More about DigitalStakeout Tools.