Exploring the security of certificate transparency in the wild

Abstract

Certificate Transparency (CT) is proposed to detect fraudulent certificates and improve the accountability of CAs. CT as an open auditing and monitoring system is based on the idea that all CA-issued certificates are logged in a publicly accessible log server, and that CT-compliant browsers only accept publicly recorded certificates. The purpose of CT is to make all TLS server certificates issued by the CA publicly visible; once a fraudulent certificate is publicly published, it can be discovered by the domain name owner. In practice, the CT can achieve its intended purpose only when the three components (i.e., log server, monitor, and auditor) of the CT cooperate and work correctly and effectively. Compared with traditional PKI systems, the CT framework does not rely on a single trusted party, but as a distributed system that distributes trust guarantees to many CAs, log servers, auditors, and monitors. In this paper, we study the interaction among log servers, monitors, auditors, CAs, domain owners (or websites), browsers, and other components in practice, and then analyze the security impact of each component on the CT. We explore the security of CT framework in practice from multiple perspectives, and find that each component has many security vulnerabilities. Thus, the attackers might first exploit the vulnerability to disable the CT and then launch an attack using fraudulent certificates. The overall security guarantees of CT are jeopardized due to the weak protections of any components.