­
Lost and Found Certificates: dealing with residual certificates for pre-owned domains - All Articles - CISO Platform

All Articles

Lost and Found Certificates: dealing with residual certificates for pre-owned domains

Posted by Amit, CISO Platform on September 25, 2018 at 8:00pm

When purchasing a new domain name you would expect that you are the only one who can obtain a valid SSL certificate for it, however that is not always the case. When the domain had a prior owner(s), even several years prior, they may still possess a valid SSL certificate for it and there is very little you can do about it.

Using Certificate Transparency, we examined millions of domains and certificates and found thousands of examples where the previous owner for a domain still possessed a valid SSL certificate for the domain long after it changed ownership. We will review the results from our ongoing large scale quantitative analysis over past and current domains and certificates. We'll explore the massive scale of the problem, what we can do about it, how you can protect yourself, and a proposed process change to make this less of a problem going forwards.

We end by introducing BygoneSSL, a new tool and dashboard that shows an up to date view of affected domains and certificates using publicly available DNS data and Certificate Transparency logs. BygoneSSL will demonstrate how widespread the issue is, let domain owners determine if they could be affected, and can be used to track the number of affected domains over time.

Speakers:


  • Ian Foster, Hacker
  • Dylan Ayrey, Hacker


Ian Foster
Ian enjoys researching systems and networking problems and solutions in an effort to make the world more secure. He has published research papers analyzing the new gTLD land rush and crawling and parsing most WHOIS records. From demonstrating how insecure aftermarket OBD "dongles" can be used to compromise and take over automobiles; to measuring the paths an email traverses online with encryption in an effort to increase integrity, authenticity, and confidentiality; and more. During the day Ian is a Security Engineer fighting for the users.

Dylan Ayrey
Dylan is a security engineer, who in his free time authors lots of open source projects, such as truffleHog. He graduated college in 2015 and has been working in security ever since.

Detailed Presentation:

(Source: DEF CON 26)
  
8669803288?profile=original
Views: 120
E-mail me when people leave their comments –
Follow

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)
 

 

 

City Round Table Meetup - Mumbai, Bangalore, Delhi, Chennai, Pune, Kolkata

Apr 15, 2025 at 8:00am to May 15, 2025 at 10:00am UTC+5.5
India
  • Description:
    CISO Playbook Round Table Overview : 
    Our round tables are designed to bring together top CISOs and IT leaders in intimate, focused sessions. These closed-door discussions will provide a platform to explore key security challenges and solutions. These sessions aim to create a focused, closed-door environment where 08-10 CISOs will dive deeply into the practicalities of implementing specific technologies.
    • Technology Implementation: From…
  • Created by: Biswajit Banerjee
  • Tags: ciso, playbook, round table

Fireside Chat On The Dark Path of Stolen Data: Understanding the Cybercrime Ecosystem

Apr 16, 2025 from 9:30pm to 10:00pm UTC+5.5
Online
  • Description:

    We’re excited to bring you an insightful fireside chat on "The Dark Path of Stolen Data: Understanding the Cybercrime Ecosystem" with Matthew Maynard (Security Operations Specialist, BJC Healthcare) and Erik Laird (Vice President - North America, FireCompass), where we delve deep into the hidden layers of cybercrime, exploring how stolen data is monetized, its impact, and how organizations can fight back.

    The cybercrime ecosystem is thriving, with stolen data fueling…

  • Created by: Biswajit Banerjee
  • Tags: fireside chat, stolen data, matthew maynard, ciso

CISO Cocktail Reception At RSAConference USA, San Francisco 2025 !

Apr 29, 2025 from 5:45pm to 9:00pm PDT
San Francisco, America
  • Description:

    We are excited to invite you to the CISO Cocktail Reception if you are there at the RSA Conference USA, San Francisco 2025. It will be hosted aboard a private yacht, so that our CISO's can enjoy the beautiful San Francisco skyline while cruising the Bay Area! This event is organized by EC-Council with CISOPlatform and FireCompass as proud community partners. 

    Yacht Party…

  • Created by: Biswajit Banerjee
  • Tags: ciso, usa, san francisco, rsaconference 2025

Round Table Dubai 2025 | GISEC

May 8, 2025 from 6:00pm to 9:00pm UTC+04
Dubai
  • Description:
    CISO Playbook Round Table Overview : 

    Our round tables are designed to bring together top CISOs and IT leaders in intimate, focused sessions. These closed-door discussions will provide a platform to explore key security challenges and solutions. These sessions aim to create a focused, closed-door environment where 08-10 CISOs will dive deeply into the practicalities of implementing specific technologies.
    • Technology…
  • Created by: Biswajit Banerjee