Abusing Certificate Transparency Logs

DEF CON 25

Presented by: Hanno Böck
Date: Friday July 28, 2017
Time: 15:00 - 15:45
Location: Track 4

The Certificate Transparency system provides public logs of TLS certificates. While Certificate Transparency is primarily used to uncover security issues in certificates, its data is also valuable for other use cases. The talk will present a novel way of exploiting common web applications like Wordpress, Joomla or Typo3 with the help of Certificate Transparency.

Certificate Transparency has helped uncover various incidents in the past where certificate authorities have violated rules. It is probably one of the most important security improvements that has ever happened in the certificate authority ecosystem. In September 2017 Google will make Certificate Transparency mandatory for all new certificates. So it's a good time to see how it could be abused by the bad guys.

Hanno Böck

Hanno Böck is a hacker and freelance journalist. He regularly covers IT security issues for the German IT news site Golem.de and publishes the monthly Bulletproof TLS Newsletter. He also runs the Fuzzing Project, an effort to improve the security of free and open source software supported by the Linux Foundation's Core Infrastructure Initiative. @hanno


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats