Certificate-Transparency

This is the blog version of my DEFCON 26 talk Lost and Found Certificates: dealing with residual certificates for pre-owned domains, which I co-presented with Dylan Ayrey. You can learn more about BygoneSSL and see a demo at insecure.design. The Problem A Certificate can outlive the ownership of a domain. If the domain is then re-registered by someone else, this leaves with the first owner with a valid SSL certificate for the domain now owned by someone else. ...

Certgraph is a tool I’ve been developing to scan and graph the network of SSL certificate alternative names. It can be used to find other domains that belong to an organization that may be several orders removed and not always obvious. Background The idea for this project came about after examining the SSL certificate for XKCD.com. If you look closely at the screenshot below you will see that the SSL certificate used on XKCD.com is also valid for many of domains which have no relationship to XKCD or Randall Munroe. ...