The Rise of Certificate Transparency and Its Implications on the Internet Ecosystem

TL;DR

This paper examines the growth and implications of Certificate Transparency (CT) on internet security and privacy, highlighting increased deployment, potential information leakage, and the use of CT data for targeted scanning campaigns.

Contribution

It provides a comprehensive analysis of CT evolution, introduces a CT honeypot to study data misuse, and proposes a methodology for subdomain discovery from CT logs.

Findings

Certificates in CT logs have grown exponentially.

33% of established connections now support CT.

CT logs are used for rapid identification of targets for scanning.

Abstract

In this paper, we analyze the evolution of Certificate Transparency (CT) over time and explore the implications of exposing certificate DNS names from the perspective of security and privacy. We find that certificates in CT logs have seen exponential growth. Website support for CT has also constantly increased, with now 33% of established connections supporting CT. With the increasing deployment of CT, there are also concerns of information leakage due to all certificates being visible in CT logs. To understand this threat, we introduce a CT honeypot and show that data from CT logs is being used to identify targets for scanning campaigns only minutes after certificate issuance. We present and evaluate a methodology to learn and validate new subdomains from the vast number of domains extracted from CT logged certificates.