Skip to main content
banner image
venafi logo

Old SSL Certificates May Be Putting Your Online Security at Risk

Old SSL Certificates May Be Putting Your Online Security at Risk

ssl security risk
September 19, 2018 | Guest Blogger: Kim Crawley

The SSL certificates that are required to encrypt your online services, such the HTTPS delivered web, are tied to domain names. Very often someone will own a domain name for a limited period of time. Let’s say for instance I bought the rights to hyperdimensionneptunia.ca for three years. During that three-year period, I made a secure website which uses that domain name, at URL https://hyperdimensionneptunia.ca. I needed SSL certificates for the HTTPS protocol’s TLS implementation to work properly, so I had them made by a certificate authority and deployed them.

Time passes and I get bored with my JRPG video game fan website, and I don’t bother renewing my ownership of hyperdimensionneptunia.ca after the three year period. People still have SSL certificates on their PCs and mobile devices for the expired domain because they visited https://hyperdimensionneptunia.ca while I hosted a website there.

A few months after I let hyperdimensionneptunia.ca expire, someone else buys it. This presents a difficult cybersecurity problem. Some certificates have multiple domain names (“hyperdimensionneptunia.ca” and “nepneppudding.org,” for example). Sometimes one domain name remains registered to the same owner, but the other domain name expires, which really complicates the problem further. Researchers have even found a certificate with about 700 domain names on it!

Ian Foster and Dylan Ayrey created their Insecure Design project to bring attention to the problem of old SSL certificates and the changing ownership of domain names. Their BygoneSSL demo shows why this security problem is a major man-in-the-middle attack and denial-of-service attack vulnerability.

There used to be no simple way to track expired SSL certificates. Then in 2013, Google launched their Certificate Transparency project. According to the website:

“Google's Certificate Transparency project fixes several structural flaws in the SSL certificate system, which is the main cryptographic system that underlies all HTTPS connections. These flaws weaken the reliability and effectiveness of encrypted Internet connections and can compromise critical TLS/SSL mechanisms, including domain validation, end-to-end encryption, and the chains of trust set up by certificate authorities. If left unchecked, these flaws can facilitate a wide range of security attacks, such as website spoofing, server impersonation, and man-in-the-middle attacks.

Certificate Transparency helps eliminate these flaws by providing an open framework for monitoring and auditing SSL certificates in nearly real time. Specifically, Certificate Transparency makes it possible to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority. It also makes it possible to identify certificate authorities that have gone rogue and are maliciously issuing certificates.”

Foster and Ayrey determined that about 7 million domain names share a certificate with a bygone domain!

Here’s how BygoneSSL denial-of-services work. A certificate has both “hyperdimensionneptunia.ca” and “nepneppudding.org.” Hyperdimensionneptunia.ca expires, but I maintain ownership of nepneppudding.org. If someone else buys hyperdimensionneptunia.ca, my ownership for nepneppudding.org can be revoked because it is shared with hyperdimensionneptunia.ca. That’s so devious and simple that even Arfoire would be impressed.

Here’s how BygoneSSL man-in-the-middle attacks work. My SSL certificate has my expired hyperdimensionneptunia.ca and my maintained nepneppudding.org. Someone else buys hyperdimensionneptunia.ca. I can then use my old certificate to authenticate into HTTPS sessions from hyperdimensionneptunia.ca’s new owner’s website, acting as a man-in-the-middle.

So, in both of these cyber attack scenarios, the new owner of hyperdimensionneptunia.ca can perform a denial-of-service of my nepneppudding.org website by revoking my domain name. But I can perform a man-in-the-middle attack on the new hyperdimensionneptunia.ca website.

The key to preventing this vulnerability is to keep track of your domain name ownerships and when they expire. If you decide to let a domain name expire, contact your certificate authority to revoke the certificates with the expired domains and generate new certificates that only have your currently owned domains. If you lose track, Google’s Certificate Transparency project may be able to help you find which of your domains have expired.

Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

quantum cryptography qubit image

Quantum Computing Threatens All Current Cryptography

trump encryption

Will the Trump Administration Succeed in Banning End-to-end Encryption?

HTTP, man-in-the-middle attack, HTTPS, TLS, TLS certificate, phishing attack

Can Attackers Use a New HTTP Exploit to Bypass Your TLS?

About the author

Guest Blogger: Kim Crawley
Guest Blogger: Kim Crawley
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat