Jeff Krakenberg: Digital Certificates: Fails and Flounders

I feel like a stork talking into it right there. So, I'm going to talk into it like this because this is what I'm more used to. Well, my name is Jeff uh Krakenberg and I'm here to talk to you guys about digital certificates, which are super fun and interesting. You guys love them, right? Definitely. Big fan. Yeah. Really? >> Yeah. That's cuz I'm not going to say that they suck and I'm not going to say that we suck at managing them. I don't think anything is a good model for managing certificates. But anyway, uh a little bit about me. Uh I got described recently as a cyber goblin. I don't know what that means. They meant

it as a compliment. Uh, I I play D and D, so I was really happy to see the last presentation. Uh, if you guys didn't catch that, there was Dn D themed Active Directory. Uh, and from a D&D background, goblins suck. Like that's like you just kick a goblin and they're dead eventually. But anyway, I am a uh technical trainer, a security consultant, a researcher. I am an author, a game designer. I do a bunch of stuff which is why they called me that. Uh, basically I spend too much time online. Anyone else? That was a really quick hand up on that. Uh, so maybe Cybergoblin is a compliment and I think you would qualify as well.

U, so if you guys want to find me online, you can either find me by my name, Jeff Krakenberg. Uh, sometimes I use a shortened version of it, just Jeff Kraken. And my social media tag is usually abandon free Wi-Fi. Uh, for obvious reasons, I am not connected to this venue's Wi-Fi. Um, so there won't be a live demo today because, uh, I don't have the chickens to sacrifice. But getting into it, if I remember how to use PowerPoint. There we go. Uh, I'm going to be talking a bit about digital certificates with the help of our friend Bill. Uh, you guys will meet Bill later if you're not familiar with him. uh just going to do

like a general overview of what they are to make sure everybody understands what we're talking about because even though a lot of us have dealt with digital certificate failures at every single place we've worked. Uh I gave this talk recently and I found out that some uh computer science majors that were three years into their degree had never had a digital certificate explained to them. Uh which is fair because I never had a digital certificate explained to me. But then I'll get into some fails with some help of some uh small business or single-owned uh websites that I've looked at in the past. Some flounders because if I make fun of other people's digital certificates, I have to make fun

of my own. Uh and then we'll wrap up with some like helpful stuff uh that we can think about and do when talking about digital certificates. Um so I'll throw it I'll throw it to you guys because I like interaction this way, right? When like I'm up here safe from all of you. Uh that's a warning for later if you want to talk to me. I'm socially awkward and it compounds with your social awkward. It's not like an even playing field thing, but uh in y'all's eyes, what is a digital certificate?

You started to I'll go to the cyber the other cyber goblin later.

>> Have you had to explain digital certificates to change advisory boards before? That sounded very familiar. Uh, but yeah, that's a great one. Uh, Cygoblin, do you have anything to add? I'm going to stop calling you that, by the way. Okay. Well, then I'm not. Uh, but >> it's a Yeah, that's a good way to think about it. It's a signature that's signatured by a signature. Uh, sign that feels bad to say. I'm moving on. Uh but anyway, how I like to think about them, uh have you guys heard of the analogy that a digital certificate is like your driver's license? Have you guys anybody heard that before? I saw one vague nod, two vague nods. You

haven't? Good. Because that's not a good analogy in my eyes. I don't like it. It's a really common analogy. I'm just not a fan of it. I like to think of them as a special type of file that identifies a resource cryptographically. So, a lot like my change advisory board briefer. Um, mostly because it can be anything. It's not something that identifies you. It would identify your user account, computer account, a printer, an app, code, anything. Uh, as an example, you guys can think of it like a name tag for now. We'll talk about better ways to think about it later. Uh, but essentially, it's like you signing a name tag saying, "Hey, I'm fakeserver.com."

And then uh the proof for that is provided by if you can't see it, godaddy.com, the company responsible for borderline inappropriate ads throughout the 2000s. Yeah, if you guys didn't know, they're a major player in the game of trusting the internet. Does that make you like the internet more or less? Cuz godaddy.com. Uh, it's also weird they sign their own certificates for websites you build with them. So, but anyway, so why does that matter? Uh, it matters because when you access a website, if we're talking about like SSL or web certificates, your browser is referring you to a server, that server is giving you the site. And in accessing that site, you are trusting that the server

is who they say they are and that the person that signed for them is more reputable than godaddy.com. I I have a thing against them if you can't tell. So, if the certificate is invalid, incorrect, or maliciously configured, you could be connecting to a fraudulent site and not even know it, unless your browser pops up and says, "Hey, this is bad." Which we all listen to and don't press continue anyway, right? We definitely don't just hit advance. They've added more buttons and we still don't think about it a lot of times. But, uh, I went with this meme because personally, I access a lot of remote machines. Uh most of them are like legitimate and I've saved the

configuration. So it's just like a double click in Putty and then I'm there. But uh sometimes I don't really know what I'm connecting to because it's a virtual machine that's only supposed to live for a workload. Uh so I'm only ever like pretty sure that it's my server and if like it came to like a board decision of if it was Jeff's server or not, I wouldn't be on my side. So why we can think about it like this is a digital certificate is just a quick way to doublech checkck a resource ownership right your digital certificates should be on your resources my digital certificates should be on my resources and if I'm accessing your

resources I should see your digital certificates uh what should I see if I'm accessing my resources >> yeah a very hesitant answer. Uh, don't worry guys, I do teach. So, if you don't answer a question that I ask, I will just wait and make it awkward. So, if you think you're going to make it awkward by talking, don't worry. I'm already planning on making it awkward. So, uh, to pull from a very popular game series, uh, that some of you may or may not be familiar with, uh, let's talk about digital certificates with our friend Bill. So, uh, anybody a fan of Pokemon? A a few hands. That's good. A few nods. Yeah. Uh, who remembers playing like the

original on the Game Boy that made the garbled noises? And you're all relatively connected to cyber security. Did it ever bother you when you were just looking at someone's PC? Like you go there and you're just like, "Oh, a computer. Someone's PC. Why is that on my network?" Well, it's cuz they wanted to make it easy to just drop a name later. But, uh, how you would use that resource is that if your inventory was running full and you wanted to catch more pocket monsters, you would have to drop them to a box in someone's PC. And in this case, if we were to use a digital certificate as an example, we could identify that someone as Bill, a

Pokemon expert. Does that sound a little bit more reassuring? You're trusting a Pokemon expert, not someone. [Music] I It is the cloud, and that's scarier. Uh, but if you put it into Bill's PC later, you can go back and get those resources. You know where they're stored. You know what box they're in. Uh, but I I have a really important question for you all. Uh, should you trust Bill with your Pokemon? Absolutely. He has weird hobbies. I don't know how deep you guys are into Pokemon lore. If he was totally He's an NPC. He could have had no weird hobbies. Somebody made a choice to include the fact that he wants to be a Pokemon.

>> Fair. Maybe that's why it was someone's PC. I like that. I'm definitely not going to steal that and then use that later.

>> Bill is saying, "Yeah, I am Bill." Right? And if you guys have ever worked with certificates, you'll know that's something called a self-signed certificate. Uh funny story about those. They always have to be manually trusted. uh unless you do like a malicious redirect thing as a part of your certificate, they always have to be malicious or uh manually trusted. So, your user that's trying to access their Pokemon is going to get that website is insecure or uh what does the other one say? Website is untrusted and uh anybody ever get a help desk call from an end user trying to access a resource that thinks it's the end of the world because it says it's untrusted and

they think they just got malware on the entire company. a few vague nods. I was so worried when I got that call. I was a desktop support technician. It was my first like official IT job and I got a call from an end user that was panicked and I have very bad anxiety. So, I was also very panicked and much like those computer science majors, I didn't learn what a digital certificate was until after this. So, it turned into an immediate escalation to the highest level of being like, "Oh no, we've been infected." Turns out they just had to click okay, which is weird because I had been doing that on my end for so long

without ever thinking of what was happening. But uh show of hands, how many of you uh actually look at the certificate information when you see that untrusted warning? How many of you raised your hands because you saw other people raising their hands?

Good. For those that didn't raise their hands, if you were unaware, anytime your browser tells you, "Hey, this looks bad," and you hit advanced, and then you hit proceed or continue anyway, there's usually a hyperlink on there that will just show you the certificate before actually loading it, which is pretty helpful for talking through that end user who is panicked and making you panic. So, but uh you guys ready to talk about our first uh our first funny failure? All right. So, uh there's a site on the internet. Uh if you're um familiar with it, you might uh you might have already seen this before, but I was doing a discussion on digital certificates and I

asked for a school and workplace appropriate example. Uh I was given homestarrunner.com. Uh which if you aren't familiar with that, you come from a different vein of the internet than I do. uh which might mean why your therapy bill is less than mine. But upon opening up that C, I could see that the subject alternative name had some stuff in there. Sorry about the chair if that's in the way. Uh if you guys want to have a chiropractic bill, you can crank your neck that way to see the entire text or I'll just talk through it. Um so it had the standard website homestarrunner.com. It had the www do which is still there for a lot of

people. Uh, does anybody remember the days when that was necessary? Now that you're nodding, does it feel like years have been added to your neck? It's been a minute. But it also had webmail.homestarrunner.com on the same certificate, which I want to be very clear. I am not saying that having your web server or your web mail on the same certificate or site as your main page is a vulnerability. I'm not saying that. Somebody might, but I'm not. I'm not saying that. Uh, however, when you find that C by either just browsing to it or using a search scanner, and that leads you to a vulnerable login. Uh, that is something that we should talk about. Uh, side note

for those that care, this was reported like 3 years ago. Uh, and then again when they didn't fix it because it's just like one or two dudes running this that are not IT people. They're flash animators and they do some really good work. Uh but after getting the okay to poke uh we found authentication through slightly modified defaults. Uh if you don't know what I mean by that uh they may or may not have just put an exclamation point at the end of the default password which is technically more secure. Um but then we also found multiple internal mailboxes and some information in there. Uh as like a quick hit before I get into talking about it.

Uh, I would consider this like the creamy center of a double layer cake. Not the most important part, but we did find vulnerable session cookies and a known vulnerable library during one of the scans. Uh, the icing on the cake for me uh was an alternate port that revealed a JavaScript redirect, which is pretty standard for people that don't know they're setting up a web server, but pretty bad for people that know how to abuse that. Uh, anybody else like uh JavaScript redirects? I don't I don't want to go too too deep into the nerd weeds on it. Did you guys know that you could do a redirect with JavaScript window replace? Has anyone seen that in the field still?

Has anyone looked for it? You don't have to, but you might find it. Uh the reason why that comes up is it could be uh maliciously altered as part of fishing or an attacker in the middle. So the thing I always do when I find things like this, I try to figure out what the core issue is because I know that the people running it didn't intentionally leave it vulnerable, right? I try to assume that uh users, business owners, uh CIS admins by force, not by choice, don't do these things maliciously, right? They just don't know what they don't know. Uh, and in this case, it really just came from a general misunderstanding of what a certificate

authority does, right? So, a CA or a cert certificate authority, like I don't know godaddy.com is going to take your information. You're going to give it to them. You're going to give them your public key. You're going to give your certificate information, all the things you need to know to have the certificate to prove that you're trusted. and they are going to verify that your web server is legitimate. Kind of big big kind of there if you guys aren't familiar. Uh they're going to verify that you're the legitimate owner of the domain. Uh they're going to verify that your information is correctly entered. Uh what some people still think they do that they don't do

unless you pay them more money to do it is uh verify if it's exposing your internal resources. That is not their job and they generally don't care in my experience. They're also not going to see if your internal resources that you're exposing are vulnerable. They're also in a lot of cases not going to verify that you're a real person. Uh, has anyone else ever used a Visa prepaid gift card to buy a digital certificate?

Is anybody shocked that that might work? So, the reason why those things that they're not checking can be an issue and why this was kind of a misconception is because it only matters if the web mail app is outdated or misconfigured, which in this case it was. And it only really matters if the login page to that app is uh accessible by the public, which it still is. Uh they fixed this. Yeah. Yes, that is really all they do in there. So, this case, I did not feel bad about talking about it. If this was a if this was a a worst thing, uh the the worst thing I found or that was found in

there was uh somebody oversharing their PII uh in an email that they didn't use but still kind of existed. So, there is some there, but yeah, you're exactly right. uh in this case there wasn't like super maliciousness that could happen on the mailbox side. Um but uh the last one is that if it can be used to brute force or support a fishing attack. So any type of fishing redirect or anything like that if having access to a legitimate domain email would help with that. Uh this type of vulnerability plays in. Uh, and again, if you're working with a small site as the web admin, you're going to send the certificate request in or you just click a box on the web

provider if you use a hosting provider. Uh, and then they verify that information, give it back to you, and you just install it on the certificate, right? It's a very simple process. If you guys haven't created certificates before, it is pretty easy to use portals to do it. It's also easy to use commands to do it. We'll talk about those later. Um, but what I've found in my talking about this with companies is is very simply that they think the other person is doing the right thing. So the the small CIS admin that doesn't have any support and is already overwhelmed and overworked or the business owner that doesn't even understand why security is important to their website, they're just

saying, "Oh yeah, I could check a box and pay seven extra dollars and somebody's going to make it secure for me." And then the person making it secure is like, "Oh yeah, they would know if they needed additional security. They would know to check the second box and pay even more money." And then when the admin gets it back, they're just like, "Cool, I got the certificate. That means it's good, right?" Uh, where this comes up on the malicious side, and you can do a little bit more with it. Um, I would hope that if anybody gets an email from a fictitious character, uh, even if the domain looks correct, you don't trust it because it's a fictitious

character. Uh, but what if you registered webmailstarrunner.com instead of webmail.homestarrunner.com and just modified the FQDN a little bit? Uh, commonly referred to as a lookalike domain or typo squatting. um the certificate uh the CA whether you're using Let's Encrypt or GoDaddy is still going to verify the certificate request. They're still going to verify the domain registration which a lot of times just means checking your receipts and making sure that you have it. What they're not going to do is always verify the legitimacy of the individual. Uh are you all aware that it's incredibly easy to create a basically anonymous company out of Montana online? I am not going to explain why I know how to do the things that I'm talking about

in that regard. Uh I feel like I've overshared. I mentioned buying certificates with uh prepaid gift cards. I mentioned anonymous LLC's out of Montana. It's just stuff you learn uh when you're doing this kind of uh tests. >> Yeah. Uh hi, my name is Jeff Kenberg and I have bought digital certificates with money that wasn't directly assigned to my name. uh but was assigned to a company that someone created. So uh let's fail again. Uh I'm going to call this one dental redirect. And I say I'm going to call it that like I haven't been calling it that in my head and out loud already multiple times. But in this case I uh I'm going to make fun kind of

a uh software support company. Uh anybody ever work with software support companies that do everything correctly? Right. So you guys see why I don't feel so bad making fun of them a little bit. Also, they're from my neck of the woods. I'm not from this area. I'm from Kansas City, so I've talked to them. Uh I also know two people that worked there. I asked them to pass this along when my emails were getting returned to sendered about it. Uh and the initial concerns with their site were there were some forms on their site that were publicly accessible and the code was bad. Uh those forms are no longer mostly no longer publicly accessible. They're

working on it. Um but this one was reported all the way back in 2022. Uh and again like 3 months ago when I was preparing these slides. So the problem here, if you guys didn't catch it on the super quick screenshot on the last one, is that it was uh HTTP on their main site. If you go to this website, it is going to take you to an HTTP site. It is not a downgrade. It is not a redirect. It is just legitimately in the year of our Lord 2025 an HTTP site for a company that supports dental offices. Um I don't know if a watering hole attack would be the right word, but I wouldn't go too deep into that

personally. Um but just to be clear, it was not failing to do HTTPS. It was just doing HTTP. So, if you guys were to browse to a site and it would give you the little warning and it'd say HTTP instead of HTTPS like a logical person, wouldn't you just, I don't know, try again explicitly do HTTPS? That's what I do a lot of times in this case. Uh, and if you force HTTPS instead of just relying on HTTP, uh, you will find a legitimate site. Uh and you'll be greeted with a warning because uh a lot like Bill's PC from earlier uh their certificate on this site is self-signed. Uh however, it's also not using the

I can never say that whole thing. HSTS. Can anybody say that reliably without stumbling over their own words? Does anyone know what it is? HTTP strict transport security.

>> Are you sure that you haven't explained things to a cab before? Uh so yeah, HSTS is a thing that can break stuff. It is not always recommended to be implemented especially internally. Um, but it is a way that technically kind of works to force end users onto HTTPS instead of HTTP. And they weren't using it, which felt weird. I knew they had an HTTPS site, but it was just going to HTTP instead. Uh, so I did the thing I obviously was going to do, and I proceeded anyway. Uh, and I I found something. I uh I don't have the time or mental capacity to go into all of what this means and I would never make fun of

WatchGuard in this talk. I'm not here to talk about that. Um but what I will say is that it was an insecure implementation of a mostly secure portal, right? Uh there's some fun stuff if you guys are looking for uh an SSLVPN that you can test out in like a lab environment with their blessing. There's some really fun stuff you can do on their server with make member as a specific thing uh as a function if uh if you don't as the admin lock it down. So there's some stuff that can be abused there that I'm sure you guys can find and have fun with. But just like on the last one, the core issue here uh was an

HTT. Do you guys remember when I said it was an HTTP site? Do you remember before that when I said there were forms on that site? That's the core issue. They had HTTP-based user input forms that would be sent in clear text from browser to server. Information included was uh customer name, address, how to contact them, what their issue was about. Does anybody see how this could be bad if that was in plain text? Uh and then in some of those forms there was things like account information like number or uh recovery codes things like that. So that is one part of the issue. Uh however it's it it is so many years since we've been

supposed to be doing HTTPS for these things. So I didn't consider that like the worst issue. Uh the core issue that I really focused on was the watchguard login on HTTPS. So uh even if you have it locked down, exposing a VPN like that to the same site can be a pretty bad idea in my opinion. Uh, if you guys, uh, don't agree with that, that's cool. Uh, I'm not going to force anybody to like my ideas, but, uh, it's kind of similar to the web mail concept that I was talking about earlier. You're just increasing your attack surface. that login page goes somewhere you don't want malicious users getting to. So, uh, up at the top

we have a malicious user. Uh, and as I always say, you could tell he's malicious because he has a hat on and he's unhappy. The HTTPS site represents kind of a loophole or a vector that they can exploit to get back to the local network uh, that you didn't want them on. Right? So, that is the security focused one that y'all are probably already kind of thinking about if you're not. It is just exposing stuff that shouldn't be exposed in that way. Uh, I would have been very happy if they had at least used an alternate port for it, but they didn't. It was just 443. So the part that I got a little bit more concerned about uh

when talking through them the purpose of that site is the HTTP one is so that regular users can get help because they're a small software support company and they don't have the time and energy to take care of everyone. That's why they exposed that form. Uh but does anyone have end users that you support that are very secured security oriented and that has never caused you a headache before? What about how many of you have security oriented end users that regularly causes you a headache? A couple more hands. I like that there was about the same amount of hands. Uh and then I did see several faces that just turned to defeat when I mentioned

that. So if if you're in that boat, I uh I empathize with that. Uh, but what I found in this case was that they had a bunch of users that needed help that had their browser settings configured to force HTTPS. So, they would never get to the place that they could get help. They would always end up on the login page. And if I'm an enduser and I don't know anything about computers, I just know that I need help with my dental software and I go to a site and I see a login and I can't log into the thing I'm paying money for, I don't think I would be a very happy end user,

especially when I'm trying to get help. So, that was kind of the other side of that. Uh, even if everything else was right, they still ended up on the wrong page simply because they were trying to do what they could to help out. Uh, I really like the idea of community security. Do you guys like that or do you guys hate that when everybody's kind of trying to be secure?

Yeah, those those darn ransomware gangs getting too good at security. Definitely not leaving their passwords in plain text inside of their own code. Um, that's not what I'm here to talk about though, so I'm going to tangent away from that. Uh, so it basically just ends up you're exposing resources you shouldn't be. You're confusing end users who think they're trying to help you and nobody's really happy about that. So, I think I've made fun of other people's uh firewall failings a little bit enough. I'll talk to you some about my own. Uh, I don't have any images uh grainy or appealing for this section simply because uh it was pretty internal. But I can talk about it because I know the

person who did the misconfigurations. Uh and I stripped out a lot of the identifying information. It was it was me that did the misconfigurations. So I am fully aware that I'm up here talking about how to be better about digital certificates and now I'm going to go into how I was bad at them. Does anybody else like the irony of that? It's my way of telling you it's okay to suck, right? Has anyone here sucked at something and now they're good at it? Nice. That's growth. Is anybody else like me who sucked at something and now you just suck a little bit less? It's a journey. No one's on the same step. So, first up with certificate

formats, uh, managing systems anderts can be annoying in a mixed environment. When I was doing it, I had both Windows and Linux systems. Uh, and were you guys aware that those use different types of files just a little bit? They use kind of different stuff. You can fro it, you can change it on their own. Um, but I wasn't the one to make certificates at this job. Do you guys want to hear how digital certificates were explained to me at this cyber security analyst position I was working? Those don't matter. They just have to be there. Oh, they don't matter. I'm going to I'm going to I'm just going to do it then. it's going to be fine. Um, so I wasn't

the one to make them, but I did request them. There's some workarounds if you guys weren't familiar. Uh, PowerShell can do it really easy. OpenSSL can do it really easy. Certificates are not hard. Uh, well, I would say they're simple, but they're not always easy to work with. So, uh, you can fix this issue on your own if you have authorization to. Uh, but my SOP, uh, that I was working on said, tell the ops guy to fix it. any any ops guys that would hate to get that call? Yeah, me too. Uh, you did your job wrong. Uh, so what that led into was a bit of misisconfigurations uh because we were trying to automate

stuff. I'll get into why automating is important with certificates in a bit. Uh, we had a bunch of firewalls that I was managing and I was told that digital certificates don't matter. We just have to put them there. And so I was like, "Oh, if it doesn't matter, I am going to find a way to automate that because I don't want to click on things that don't matter. I would much rather just look at uh firewall menus and see when I'm going to get upset." Uh, but to make it a little bit simpler, just say I had firewall A and firewall B and I was using puppet to pull the firewall aert and put it on firewall A

and I was doing a different instruction to pull the firewall bert and put it on firewall B. Uh, if you guys were like, whoa, I didn't know that Puppet could handle digital certificates for firewalls, there are way better tools, don't try and use Puppet for this unless you already are stuck with it. Um, because what happens when you are not a programmer and you try and use something like this is that you will copy paste the wrong thing. Uh, I'm not going to go into all of the puppet configurations. Uh, this is just a chunk of code. Uh, I like to call the highlighted areas redundant, bad, and kill it. because this was tested and this worked

pretty well on firewall A. Do you guys think I changed that before putting it on firewall B? No, I just changed this part to say ah check the host name. It'll be fine. It'll work. It didn't work. Uh I I use firewall A and B as an example. Uh at the time I was managing 18 web application firewalls. Uh, one of those still worked. If you're in an organization that needs almost 20 WS and you push an update that makes it so only 5% of those work, do you guys think that your boss will be happy with you? Cuz mine wasn't. Uh, key point on that. I probably should have called that core issue like the other slides. Anyway, uh,

digital certificates are time based. I used to have a lot of slides in this talk about how you could do things to help you with your digital certificates based on timing. Uh but if you guys didn't know, a little over a month ago, it was uh commonly decided and voted on that digital certificate lifespan is going to shrink exponentially. Uh so right now they're pretty long. They can be abused and taken over and you can have them for almost 400 days. uh next year that's getting cut in half and over the next four years it will be down to under 50 days. So what do we do about it? Well, I would recommend automating, right? Uh I'm a big fan of automation in

that case is that I don't like doing repetitive mundane things. So I always try and find ways to not have to do that. But I know that not everyone can automate everything in their environment. Uh but if certificate lifespans go down to 47 days uh and you don't automate it, that means you or someone you onboard is going to have to be the certificate person in a larger environment, which that means your entire job is going to be working with digital certificates. But if you're not in a place where you can automate, you're not in a place where you can onboard, uh you would have to use an alternate. Anybody remember Dane? DNS authorized naming something.

Yeah, you can use DNS for a similar thing because that never breaks. Yeah. So, there's a ton that you can do and it all goes into what your organization lets you do. My push would be for automation, even if it's just simple stuff that's in your control. But, uh, I'm going to kind of tangent back now. uh and I mentioned earlier that I don't like the driver's license analogy and I also mentioned that uh I had a way that I like to talk about it right that special type of file that identifies a resource cryptographically. Uh however I am also aware that that is way too wordy and too technical for most people because I am like many of you a nerd

right so we I want a better way to talk about it um so I was looking into it a lot and a driver's license is pretty close the user provides information to the certificate authority the certificate authority verifies and signs information and then the certificate or author certificate authority syllables are hard y'all uh gives that back to the user. They put it on their resource. That is a lot like a driver's license, right? You give the DMV your stuff, the DMV gives you stuff after staring at you unhappily for a while. Uh and then you give that to a police officer when you get in trouble. Um the only thing that I don't like about that analogy really is

that I've never seen a digital certificate used in a court case to prove ownership of something. So, it's not like my favorite. Uh, a land deed came up as an idea, mostly because I'm a fan of uh space fantasy westerns. Uh, anybody else like those? Like the like the first Star Wars or uh Rogue One or uh Solo's technically a heist, but nobody really liked that movie for some reason. Firefly, also a good one. Now I'm sad. Thank you. Um, it's going to be okay. Uh so but uh what I really like about land deeds, if you guys haven't heard of them before, uh that's because they're not really real. Uh and you only trust them if you trust

the person that's giving it to you. Like I don't know, a major government would never lie to an entire group of people saying that they could have land and give them a deed and then not honor that. So that's a a little bit closer in my eyes. But for me, the best analogy for a digital certificate would be something that no one really asks for unless everything's going wrong. Something that proves you did a simple thing. Uh, and something that could be used for generic gatekeeping. Uh, bonus point would be if it's easy to get it online for free or a small fee. Uh, anybody want to take any guess at what I think a digital certificate can be

looked as?

>> I like that. I like that. Any other guesses? Just a piece of paper. Uh, the one I came up with is a high school diploma. I will admit, as much as I hate the driver's license analogy, it is a pretty good one. Uh, however, like I said, I haven't been able to find a case of a digital certificate being used in a legal situation to prove something. Uh however, I have seen entire industries build around uh forging them. Kind of like how you can drop out of school and take a digital arts class at your local community center and then make your own high school diploma. So, why does this matter? Well, if we

get into some of the dangers super quick, um, domain redirects, lookalike domain spoofing, typo squatting, there's a ton of reasons of how somebody can force you to trust a certificate that you shouldn't. Uh, you can also use third-party hosting sites to fall under their umbrella of trust. Uh, anyone else hate Shopify for that? Yeah, if you sign up on Shopify or, I don't know, godaddy.com and give them money, you'll fall under their umbrella of trust. What if they could actually just force the trust? I saw a interesting attack recently where a hacker sent an RDP file to somebody and that RDP file had a publicly trusted digital certificate attached to it and the thing it

identified was the hacker's machine. So, it forced an RDP connection to a trusted device and had some network share stuff built in so that when the user opened the file, it connected to the hacker's machine and just gave them the user's file. That sucks. Uh, but it's pretty cool. Um, as I get towards the end, I'm long-winded, y'all. Uh, there's some stuff you can do to protect against this. the basics, uh, online certificate status protocol and certificate relocation lists. They're the basics for a reason. I'm not going to defend their flaws because I don't want to. Uh, you could use a DNS filter to do this. I've done it with both uh, cheaper free versions like Adguard and

I've done it with Umbrella, uh, Cisco's version. If you guys are using that, it is possible, but it requires configurations. Um, you could also do automated checks on your own uh for this. Uh, there's tools like uh fish tank if you guys haven't heard of it. It's uh I think that's Cisco's Talos. I man I said Cisco twice in this. I have to go repent. I'm sorry. Uh anyway, there's also something called URL scan. This is a screenshot of a script that I was working with. Don't worry about it. It's bad. Uh and you can look at the domain age. That also helps. And the reason why I bring up those automated checks is I'm sure some of you are much

better at uh programming, scripting, or Python than me. So, you can pull all of those in and then score it. You can set your own metrics if there isn't a tool that works for you. Uh but the one thing that I found through this that I really enjoyed was uh certificate transparency logs. Have you guys uh heard of those or used those yet? Just the cab. I don't like calling you. you do with a hat cab driver though. Oh, that's a good name. No, it's not. I'm sorry. Um, certificate transparency logs are a thing if you're not familiar with them. They they help out with malicious certificates as well as certificates that are being abused or hijacks. Um,

but they only work if it's a public certificate. So, do not put your internal certificate information into a public tool. You guys are on board with that? Okay. So, super quick example. This is what I uh I didn't sacrifice the chickens to the demo gods for this. So instead, I'm just going to show you guys screenshots. You can go to a site. Uh I use demo.estfire.net because it's a fun fake bank application if you guys aren't aware of it. Uh and all you have to do from there is pull the fingerprint for the certificate and then plug it into the site uh cr.sh. Uh if anybody out there hates Google, you'll have to find a different site uh

because this is one of their utilities. But then it gives you the history of that certificate more than just looking at it yourself. Uh I am 100% positive that everyone in here could find all of this information on their own about a certificate. Um but I also know that I'm lazy and that's a site where you can put a public fingerprint in and it just gives you the certificate information. So I'm a fan of that. But anyway, uh I meant to leave some time for questions, but uh I didn't because I talk a lot. So, if you guys have questions, feel free to find me. It'll be awkward, but I will do my best to talk to you. If you are also awkward

like me and you don't want to talk, I have a QR code that you can use to connect. It's right behind me, though. So, it's also over there. Uh and you could get a a digital digital certificate certificate solely because I wanted to say that through a microphone. Uh but also provide feedback because I love hearing from people. But uh that's all I uh got unless there's any time for >> We've got time for questions. >> Oh yeah. Has anybody got We got time for questions. Yeah. Please don't ask why I called you a cab driver. He hears it a lot. So thoughts on stapling. Certificate stapling prevents a very specific abuse of trust and I think it

will always have a place. So if you have a complex internal environment or a complex public environment, I would recommend using something like stapling or stapling directly. Um I don't like trusting somebody because somebody else trusts them because somebody else trusts them though and keeping all of it together in one packet can Did that help? Any followup on that from your your end? >> Okay. Any other questions? I uh I'll share one I got recently. A question was uh do you find any value in auditing local certificate stores? Uh and my general answer to that is no unless it's a developer's workstation. In which case, yes, for obvious reasons.

Any uh anybody got anything else?

>> Yeah.

>> Or any recommended tools or anything? Yeah, I would say that it mostly depends on if it's internal or external. Um, I am not a Kubernetes person. Uh, I'm trying to learn what Kubernetes is and does and I've been trying that for 5 years. U, but I know that there are a lot of good uh utilities you can use in that realm. on the uh just the regular standard side. Uh what what I do is that I use uh I've used and don't hate me for this because it was the the company uh active directory certificate services uh and then pull all of that through PowerShell because PowerShell was the first scripting language that I learned.

So I had to automate it on my end. There are services that help you automate it on a larger end but I don't remember them. Thank you. Uh, and then the not gonna say the name that came to mind. >> It was Derek. >> Nope, >> not Derek. So, um, I think collectively we like the royal we know that the certificate uh, lifespan going down the 47 days is or whatever it is is a good thing. Um, quote unquote good thing. Do you think there'll be people that just throw their hands up and say, "Okay, we don't need it." uh because you know dentist office etc. >> I love that question uh because yes uh

I'll use an I'll use a historical uh reference for this. Uh do you guys remember when uh we kind of had a push to use third-party trusted certificates for public services and then Google created Google trust services which if you guys didn't know that's how they sign all of their own certificates still they just pay themselves to do it. So I think the kind of the the third party hosting realm all of that will kind of stay unchanged. So, if it's a small business like a dentist's office and they're already paying somebody like godaddy.com, the unfortunate thing is they're just going to get charged more money. Um, but if they have the space to do it with like let's encrypt or

something, then they're going to have to do more work. So, I love the idea of switching to a shorter lifespan. If you guys were curious about that, most of the protections that I used to use for certificates were all timebased. So, that makes my job easier. I say job like I was getting paid a lot of money for it. Um, but yeah, thank you. That was great. Anything else I can answer for you guys before I go hide?

All right. Feel free to harass me if you want. Uh, just like mild harassment though, not like actual harassment because I will cry. Um, yeah. Thank you guys and thank you to Bides for letting me do this.