Comment by beeboobaa
3 years ago
Are there any services that monitor the certificate transparency logs and send an email when a new certificate is issued for your domain? That would alert you to this kind of MITM
3 years ago
Are there any services that monitor the certificate transparency logs and send an email when a new certificate is issued for your domain? That would alert you to this kind of MITM
As mentioned there are services for doing this (I've been using for example the free service from Facebook [1])
Since the certificates are nowadays renewing quite often, it's very easy to just end up ignoring these notifications. To really get the benefits, I think you should somehow combine these with logs from the legit cert renewals and only alert when something strange pops up.
[1] https://developers.facebook.com/tools/ct/search/
Indeed, a CT monitor which sends alerts about legitimate certificates is almost useless due to noise. My service, Cert Spotter, provides an API endpoint[1] which you can upload your CSRs to, so you don't get alerted about certificates using the same key as the CSR. The open source version of Cert Spotter can invoke a script[2] when a certificate is discovered, and the script can cross reference against a list of legitimate certs.
[1] https://sslmate.com/help/reference/certspotter_authorization...
[2] https://github.com/SSLMate/certspotter/blob/master/man/certs...
Could it check against public key for the certificate?
1 reply →
Yes. Several. They're called CT "Monitors".
There are but this assumes that services like the transparency log servers and LetsEncrypt are not being legally compelled to do or not do something.
If the CA doesn't log a certificate, the certificate won't work in CT-enforcing clients (Chrome, Safari, Edge) because it lacks receipts (SCTs) from CT logs.
If a log fails to publish a certificate despite issuing a receipt for it, Chrome's SCT auditing infrastructure can detect that, as it did recently with the Nessie 2023 log: https://groups.google.com/a/chromium.org/g/ct-policy/c/5x1A6... (this was also detected by monitors operated by myself and Cloudflare)
But this is all moot when it comes to XMPP, since XMPP clients don't check for SCTs, and there is no requirement for CAs to log certificates if they don't need to work in non-CT-enforcing clients. Some CAs (e.g. DigiCert) will sell you unlogged certificates - no need to compel them.
tldr: situation is good and improving with browsers, not so much with non-browser clients
XMPP has some adoption of channel binding (it could be better, but it's heading in the right direction) which mitigates these kinds of attacks in a different way. It is able to do that because the client and server already share a secret (the user's credentials), unlike most HTTP clients/servers (at least as far as the protocol is concerned).
But SCT validation would indeed be something we should investigate for the ecosystem, it could be beneficial for certain use cases.
3 replies →
> Could you prevent or monitor this kind of attack? There are several indications which could be used to discover the attack from day 1:
> All issued SSL/TLS certificates are subject to certificate transparency. It is worth configuring certificate transparency monitoring, such as Cert Spotter (source on github), which will notify you by email of new certificates issued for your domain names
> All issued SSL/TLS certificates are subject to certificate transparency. It is worth configuring certificate transparency monitoring, such as Cert Spotter (source on github), which will notify you by email of new certificates issued for your domain names
This seems like the kind of thing domain registrars should do for you.
Who could in theory also be told “don’t notify your client about this specific one”. You’re best off self hosting if you think you’d be a target for these kind of attacks.
1 reply →
Cloudflare does that
Cloudflare is a MITM you voluntarily setup yourself, innit?
You don't have to setup anything
Kerberos right?