PRESS INFORMATION – New research from Detectify Labs: Don’t let your SSL certificates give away your company secrets.
SSL/TLS certificates make the internet a safer place, but many companies are unaware that their certificates can become a looking glass into the organisation – potentially leaking confidential information and creating new entry points for attackers.
Cyber criminals are constantly monitoring growing external attack surfaces to find exploitable weaknesses. Since July 2021, Detectify’s research arm Detectify Labs has collected and analysed over 900 million public SSL/TLS certificates and uncovered some SSL/TLS pitfalls that can lead to company data being exposed or compromised by malicious actors. The main findings include risks associated with using descriptive domain names and so called wildcard certificates.
This write-up summarizes the findings so far, highlights risks associated with SSL certificates, and how to mitigate them. A technical report with full details on the research and around SSL risks, is available separately upon request.
Background: What are SSL/TLS certificates and why are they important?
An SSL/TLS certificate is a digital certificate that authenticates a website’s identity and keeps the connection between the user and the website secure and private by encrypting it. When you see a padlock icon next to the URL in your web browser, it means the domain you are visiting is SSL/TLS protected. Domains lacking a certificate don’t qualify for an HTTPS web address and will be tagged as “not secure” by most web browsers. If the connection is unencrypted, someone can eavesdrop on the traffic and see the information sent between you and the website you are interacting with. This could also mean seeing sensitive data such as login details and credit card information entered into forms.
The functionality of monitoring SSL data is not novel. In fact, continuously monitoring one’s certificates should be part of every organisation’s efforts to protect their external attack surface, and it has been a feature of Detectify’s online surface monitoring tool for several years.
SSL/TLS certificates are issued by trusted certificate authorities (“CA”). In 2021, the issuing process was made public for both internal and external domains, meaning that anyone on the internet can monitor which domains are getting certificates, and what kind of certificates they get. The data can provide insight into the architecture, software and products used and served by organizations internally and externally – information that a malicious actor could leverage.
Researchers at Detectify were curious to see what patterns around SSL security could be revealed from collecting and wrangling these millions of publicly available data points.
Since July 2021, Detectify’s team has collected close to 10 million certificate logs every day from the public process of issuing SSL/TLS certificates. So far, over 900 million events generated from issuing organisations including but not limited to Let’s Encrypt, Digicert, Amazon and Google have been documented and analysed.
Descriptive names exposing company secrets
The analysts found that an overwhelming majority of newly certified domains had been given descriptive names. This may sound harmless but can actually be a business information risk, explains Fredrik Nordberg Almroth, co-founder and senior security researcher at Detectify:
“Many domains get certified in the staging phase of the development cycle, before they are publicly launched. Let’s say company X is working on product Y and deploys its domain to staging using next-generation-of-product-Y.staging.companyX.com, 6 months before its public release. That gives competitors half a year to do marketing or other efforts that could drive traffic away from the future announcement. Make sure to always choose code names or random strings over descriptive product names when deploying new domain names.
Widely used wildcard certificates open the door to new hacking techniques
The data also reveals information about the certificates that an attacker could exploit.
Detectify’s analysts found that around 13% of the domains collected use so-called wildcard certificates, that allow you to secure a base domain and unlimited subdomains and servers (e.g. email, FTP and apps) on a single certificate. The US National Security Agency (NSA) recently warned that wildcard certificates, popular because they are less expensive than individual certificates, open the door to a new hacking technique dubbed ALPACA (Application Layer Protocols Allowing Cross-Protocol Attack). This new form of TLS traffic decryption attack allows threat actors to trick servers to respond to encrypted HTTPS requests via unencrypted protocols. Using ALPACA, an adversary could potentially steal cookies, private user data, or perform cross-site scripting attacks.
SSL/TLS certificate data a potential goldmine for attackers
There is lots of potential to uncover more insights on SSL security from monitoring and continuously analysing public certificate data logs, says Fredrik Nordberg Almroth, Detectify co-founder and senior security researcher:
“We have only just begun digging into the data. There are several ways an attacker could use public information about SSL/TLS certificates to map out a company’s attack surface to understand where the weaknesses are. For example, an attacker could see if a certificate is about to expire or has been signed using a weak signature algorithm. The latter can be exploited to listen in on website traffic or create another certificate with the same signature – allowing an attacker to pose as the affected service. Domain owners should pay extra attention if they notice new certificates being issued by unknown CAs – that could indicate that an attack is taking place or that a forgotten subdomain has been taken over.
Without SSL/TLS certificates, internet users and organisations owning domains would be much more vulnerable online. It’s in the hands of developers and website owners to implement certificates in a way that keeps user data safe
“If you’re managing a domain, you want to make sure to keep track of the status of your SSL certificates and continuously monitor them for weaknesses and anomalies. This is what hackers have been doing for years, and where an attacker would start looking”, says Fredrik Nordberg Almroth
More insights on SSL related risks and how to mitigate them are available in the technical report, available separately upon request.
For more information, please contact:
Fredrika Isaksson, PR Manager
+46 (0) 76 – 774 96 66 or firstname.lastname@example.org
Offleash for Detectify