Ready or Not, Here I Come: Characterizing the Security of Prematurely-public Web Applications

Abstract

Traditionally, the creation of a new web endpoint was seen as a private event, with its existence unknown to the outside world until deemed appropriate by the site owner. Indeed, the improbability of an attacker correctly predicting the exact address of a newly-created site allowed administrators sufficient time to configure their sites before users began to arrive. However, since the adoption of Certificate Transparency (CT), the act of obtaining a TLS certificate is announced to the public, where attackers can lie in wait for new targets to attack. This results in a new vulnerability period between the time that a site is issued a TLS certificate, and the time when administrators have finalized all security-related server configurations.

In this paper, we present MAKO, a distributed web scanning system that determines the overall security posture of a host from a number of network vantage points. Using MAKO, we randomly sample 1% of all domains appearing on Certificate Transparency logs over 10 weeks, resulting in the auditing of 548,238 unique domains. By carefully and ethically analyzing the security posture of each host immediately upon discovery, as well as in the following hours to days, we are able to observe the change in their security posture over this time period and quantify the vulnerability window that attackers could exploit. Through this analysis, we discover 200,421 domains that increase their security posture in the time following their initial announcement on Certificate Transparency. Overall, our findings expose a downside of the Certificate Transparency system, where unknowing administrators prematurely announce the existence of their hosts before vital security measures are applied.

Project Contributors