Digital Certificate: Fails and Flounders

Welcome. Are you guys enjoying being in a basement? It's It's like home. Do you guys not go outside? Wait, I know where I am. Yeah. No, I was just making fun of him because it's dark. We're good with lights. Do you guys want the lights on? I guess I should ask that. There's more of you. That was super. No. Well, all right. Well, my name's Jeff Krakenberg. Uh, I'm a bit of a cybergoblin like most of you probably. Uh, currently working as a technical trainer. I've got a background in information security analyst, vulnerability assessment, pen testing, that kind of stuff. I'm also an author, game designer, D&D nerd. So, if there's anything nerdy you want to talk

about, I've probably heard about it and I'm interested in learning more. But I am socially awkward. And I know a lot of you are like, I'm also socially awkward. Yes. And that compounds, your awkward will make my awkward more awkward. So, you guys are okay to laugh as we're going through this. There will be jokes. You're okay to ask questions. And if nobody asks any questions, I'll try and force somebody to, but that'll be awkward, right? That would be So, if you have a question, just ask it or I'll stare at you until you do. Anyway, we'll get into it. Uh, I know a lot of you have probably heard about digital certificates before. Uh, as a as just a

super quick question, has anyone not heard of a digital certificate? Digital certificate. Yeah. you you've never heard of a digital certificate. Cool. Well, that justifies the next part because I'm going to give everybody a general overview of what they are before we get started. Our friend Bill's going to help us out with that. Uh we're then going to talk about some fails that I found in the field when working in research. Just some fun stuff to be aware of. And since I make fun of other people, I'll make fun of myself as well with some floundering I did. And then I'll wrap up with maybe a better way to talk about digital certificates, but probably not because

they're bad. Sorry. Does anybody like digital certificates? Or were you all aware of that this was going to be making fun of something? I don't think I've ever seen this many serious people this early in the morning. Are you all doing okay mentally? You laughed. Is that a good thing or a bad thing? Shout out to mental health hackers upstairs. Talk to them. Uh so what is a digital certificate? There is a common analogy that gets thrown around. It says that your digital certificate is like your driver's license, which shout out to last speaker for mentioning driver's licenses and IDs. If you guys heard that, if you don't know why, it's because someone else gives it to you and

it proves that you are you essentially, right? So digital certificates get thrown in the same vein. I don't really like that definition. I like to think about it as a special type of file that identifies a resource cryptographically because they can be applied to anything. But just as a highle question, what is the most common thing digital certificates are applied to? Web servers, websites. Yeah. Right. Most of the time you guys might have heard them called SSL certificates or TLS certificates. If that makes more sense for you, that's cool. I just don't like either of those things. But you can think about it more like a name tag. If you guys have a name tag, we all have

name tags, right? That don't have anything in them currently. Does anyone know the story? We'll talk about that later. Uh, so you can think about it like a name tag. You sign your name tag for yourself, but then someone else like godaddy.com comes across and it's like, "Yeah, they identified themselves correctly. You can trust us. We didn't have super questionable ads all the way through the 2010s. We're not part of the problem. GoDaddy.com." Anyway, if you're not familiar, GoDaddy is a major player in the game of verifying website trust, which sounds insane because it's godaddy.com. I don't think I need to say more, but why does that matter? So, I access a lot of remote machines. Some of

you guys will as well. I access a lot of websites, different types of things. And a digital certificate should be a quick way to identify your resources, right? So if I'm going to a website, a lot of people said web servers, that means my browser is getting the site from a server and I am just trusting that server because someone like godaddy.com said that I could, right? It's not the most trustworthy thing in my opinion, but I'm never 100% sure that I'm accessing my virtual machines or my cloud PCs, whatever it is, because how am I supposed to know? I'm not going to read through the fingerprint if it's not a saved. Does anybody do that? Any truly

insane people in here reading through the fingerprint when you connect to a remote machine? 10 points. You have and now you don't because it hurt your eyes that one time. Anyway, I regularly look at when I'm making a connection and my general mind is like, well, I'm pretty sure this is mine. That' be bad if it isn't. And a digital certificate is just there as a quick way to verify that resource ownership. Right? So I should have my certificates on my resources. You should have your certificates on your resources. So if I log into my server, what certificate should I see? Mine. If I log into your server, what should I see? Yes. Yeah. And if a hacker logs

into our server, what should we see? Coffee. Also, they gave me a laser pointer and that was a mistake backstage. They were like, "Yeah, I do good." And I'm like, "Sorry, I'm just looking at the laser pointer." So, how does this help us out? I know not everybody has heard of digital certificates. We're all coming from a different place in the industry and we might not all have the same basic understanding. So, I'm going to use old school Pokemon terms. You guys okay with that? Cool. So, how does this help us? Uh, in Pokemon, if you guys aren't familiar, in the olden day, not in the new ones that I'm bad at because there's too many graphics, but in the older

ones, right, your inventory would be full of pocket monsters, and you want to catch more Pokemon, so you got to send them through a PC to a box somewhere. I don't trust someone with my Pokemon, right? Just someone's PC. Now, digital certificates could help identify that as Bill's PC, right? Bill's a Pokemon expert. We could probably trust him with our Pokemon. Would you would you guys trust Should you Should you trust Bill with your Pokemon? Anybody aware of his weird habits in Pokemon lore? Should Should you the guy that was introduced as accidentally turning himself into a Pokemon? Do we think we can trust his certificate that he signed for himself? That's a you decision. I just bring this

up to say self-signed certificates is what that's called have to be manually trusted. And once you manually trust it, you have to manually untrust it or anything Bill does with your Pokemon Goes. That sounded really bad out loud. That was just supposed to be a metaphor for data. I did not mean for it. Anyway, so I'll get into my first failure. I I do a lot of talking about this stuff and once upon a time I was talking about digital certificates and I asked for a class or workplace appropriate website and I was given homestarrunner.com which based on the sparse chuckling a lot of you come from different backgrounds than me because you don't know what that is. I'll just

summarize it to say it's a weird website that a lot of people went to and all of us are weirdos, but it's a real thing. So, I was like, cool. I'll look at it. I'll open up the certificate. Got to the subject alternative name, which is a way to record naming information if you're unfamiliar. Way to verify that that's the right place you're talking to. And there were three entries. standard one homestarrunner.com www do and then I know it's really hard to see because this is a screenshot but uh there was also a webmail.homestarrunner.com homestarrunner.com, which I'm not here to yuck anyone's yum. If you want to keep everything on the same certificate, that's probably

fine, but pro probably fine, but it's uh it's probably not fine if it leads you directly to a vulnerable webmail login. That's when we got to talk. Uh side note, this was reported in 2023 and 2024 and has been patched since. Hopefully, they haven't responded to my email. Uh, no, they did respond. They were great. Uh, but through poking at this, they found authentication through slightly modified defaults. Any anybody else doing that? Just taking the default password and adding a character at the end and hope that's good enough. Which gave us access to multiple internal email boxes. Kept scanning and we found weak session cookies. We found a vulnerable library. Bou all this. This was just like the the creamy middle of a

double layer cake. You guys like dessert? Is it too early for dessert? This is like the cinnamon inside of a cinnamon roll. It was good for the time, but it wasn't the best thing. The best is the icing, right? And that was an alternate HTTP port running a JavaScript redirect really easily, which is not great and could be used to support fishing, which it was. But the core of this issue is a general misunderstanding of what certificate authorities do. And if you're not familiar with a certificate authority, godaddy.com, I'm just seeing how many times I can say that name and someone will chuckle because every time I say it, I just imagine commercials that shouldn't

have been aired. So we as a web admin would send our key and our registration information to the certificate authority. Does anyone want to guess what that certificate authority does? I heard a sure. Yeah. Yes. And that is what we'll talk about a bit later uh with an unfortunate thing that's happening in the future. Yeah. They charge you a bunch of money and uh they give you a certificate, right? They take your information, they turn it into a file, you give that file to your server. Congratulations, you've identified your server. Do do they actually verify all of your information is correct? Some do. Great point. Do the ones that just charge you a bunch of

money do that? No. Oh, a lot of times they're just checking your receipts saying depends on the certification policy as well. Do you come from a very strict certification policy? Depends. Good answer. I also wouldn't talk about my employer here. I don't want you guys to find me ever again. Uh anyway, but they are mostly going to verify the domain, send it back, and then you're going to install it on your web server. This is most commonly an issue with smaller shops. So, if you guys are thinking enterprise level and big things like that, this part's not for you. You have tools that somebody paid for that can do this so much easier. But if it's just a

person managing a website, let's say for a not for-profit community organization or a small business, a lot of those people that I talked to do think that the certificate authority is verifying that everything is okay because they're paying them money. And from their background, that should be okay, right? If I'm giving you what, $500 a month or whatever they charge. I don't know. I haven't bought a certificate in a while if you guys can't tell. But if you're giving them that much money, you should be able to just install it right onto your server without issue. And a lot of times you would be correct. There isn't much issue there. But when we start thinking about it

maliciously, uh it's uh what a lot of us look like there at the top as a malicious person. Lookalike domains aren't really checked by most certificate authorities. If you take webmail.homestarrunner.com and turn it into webmailomestarrunner.com and just jack all the code to make it look right, you will be able to get a website that looks exactly the same. I hypothetically did this with Let's Encrypt for this specific example. Anyway, not going to go off on that tangent. There's a pointer. Sorry. Uh so they verify the receipt. They verify the domain information looks correctly. They did not verify that you are a legitimate entity all of the time. There are ways to do that. You can pay more money for

identity verification on that, but they will give you the certificate still and then you can install that on your fishing site. Make it look really trusted and pretend to be Strongbad and fish users trying to ask questions. That part is mostly for the people that know what Homestar Runner is. There was a guy named Strong Bad. He did terrible drawings and he read emails. just one resolute. Yep. So, in this case, I know I'm using Homestar Runner as an example, but this does apply to any business that's exposing their certificate or exposing their web mail through their certificate. It's not a bad thing. You just have to make sure you are doing the bare minimum and not

using weak credentials. Another failure that I came across, this is one that I'm not sure how still happens. So, if anybody knows how this still happens, feel free to harass me about it after this. Uh, but I call it a dental redirect. It's not a redirect in the way you guys were probably thinking it would happen. But there was a website and when they asked me to browse to their site, it just responded with HTTP. It wasn't a redirect. It wasn't a downgrade. It was it was just just an HTTP site with a lot of user data flowing through it. That was our main concern that was at the time is that they had forms on their HTTP only site

that was getting user information. This sounds insane, right? 2025, that's the year we're in currently and we still have people doing just HTTP. Well, it does exist. And they thought they were doing great because if you don't HTTPS, try again and you might find a self-signed attached to a different site. their saving grace on this of how their users still got to the right place is that they decided to turn HSTS off, which we all have feelings about the HSTS. We won't get into that. So, users were still getting to the right site, but then the people that wanted to get to this site could still get to this site, which uh grainy, not the best

picture because it's a screenshot of a browser that was dumb. But that's WatchGuard. If you guys aren't familiar with WatchGuard, it's a mostly secure VPN. I'm not here to talk about WatchGuard, so if you are a fan, don't come at me for this one. I only poked it for this, and I have no other experience with your service. But it did have in the original version that we found some exposed functions that were not validated properly, which allowed users to just get in there. Do you guys like websites where you could just go, "Hey, I am the admin." Well, I'm sure you guys like those websites when you find them, but would you like it when somebody found it for

your company for you when you didn't find it? I don't know. I'd still like to find it in that case because that sucks. That's going to be my boss's problem. But the core issue with this one, like I was already making fun of the HTTP original issue was forms on that site that were not securing data, sending plain text information, customer name, contact information, comments and requests, and account info through a form on an HTTP only site, which uh from the vague nods, I think you get we all agree that bad. But then they overengineered their other side. Uh up at the top we got a malicious user. And as I always say, uh you can tell he's malicious because he's

got a hat on and he's unhappy about it. So your general security, you don't want them plugging in directly to your local network. But through mismanaging your login, you are just giving them another path right back to the local network. On the user side, does anybody have strict browsing enforced or secure browsing, whatever your preferred browser calls the thing where it only does the secure thing and nothing else? Do you guys not go on the internet? You do. What's it called for you? Secure browsing. Are we sure that's what it's called or is that just what we're calling it? Because none of us really know what it's called. It's the web header. Yeah, HSTS. That's

what they want on your browser as a user. Especially if uh none of us would do this, but if we just look at headlines and get scared and then look for settings in our browser configurations to force security. If a user were doing that, they wouldn't end up on the actual website. They would end up on the VPN login. And if they were trying to submit information to the company to give that company money, that would be to steal from the previous person an impact on that business, right? Not only is their data being exposed, not only is their resource being exposed, but they are also shooting themselves in the foot. So, I feel like I made fun of

other people enough for this one. I don't have any nice graphics for this part because it was mostly internal. Uh, but I do know the person that made the misconfiguration issues. Uh, that was me. So, I'm uh promptly qualified to make fun of myself. Don't get distracted by the sumo person. Don't get distracted by the sumo person. Everybody look really quick. If you didn't look, you missed out. So, I uh for a while I was working with certificates. Had a relatively large workload that we were doing on there. And the most common thing that would happen was you'd get the wrong format. Anybody have this happen to them where you're trying to apply a certificate to a machine and it's like

ah invalid. It sucks and we all know how to fix it, right? Not going to spend much time on that. But I will say that our SOP at that company was tell the ops guy he did it wrong. You know, instead of run any number of simple commands or tools to convert it yourself, the SOP was tell someone they suck. I used to wonder why ops folks hate us and developers hate us or me specifically in cyber security. Uh and then I started running into things like this where it's a policy to tell somebody that they did their job wrong. Uh that's probably a training point for somebody else. Everyone hates everyone and it's okay,

right? who threw the first shoe or whatever you guys throw at people. So, this was mainly an issue when we were starting to automate it. I'll get into automation a little bit more in a bit, but we're going to try and use Puppet with some really simple instructions to pull a certificate from one place and put it in another place where it's supposed to go. So, like firewall A's certificate should go on firewall A, firewall B's certificate should go on firewall B because that's what you would do normally. And if you automate it, it should do the thing you do normally faster and or better. But uh I may have messed that up. I'm not going to go through the

whole configuration there because it is uh pretty small text, but I've got a couple of circled portions on just mishandling Puppet configurations. Um if anybody is interested in securing certificates and stuff like that through Puppet, it is possible. You can deploy them from the certificate store to your resources if you work carefully and test your efforts on all of the devices, not just the first one, and then move it over to the other one without changing what you put in the copy of the first one. Anyone else ever copy pasta some code from their own code and not realize that they forgot to change something? I'm really glad I'm not the only one that made this mistake.

Otherwise, that would be embarrassing. But the key point on this one, why I'm talking about automation and why I had to completely change this uh presentation over the last two weeks is uh did you guys hear that they're expiring forever? Not forever. Forever. They still suck. We're still going to have to use them, but over the next four years, your digital certificate lifespan is going to go down to 47 days, which uh is like 10%ish. I'm really bad at math. It's like 10%ish of what it currently is. Next year it's getting cut in half. Three years after that it's getting cut in many more halves. So if you are not currently thinking about automating your

certificate deployment, you should probably get there. Uh my main takeaway would be automation is coming for your certificates whether you want it to or not. Unless you want to hire a dedicated certificate person that every 45 days just buys and uploads new certificates. I don't know. sounds like a key automation point for me but uh I can't tell anybody what to do at their organization so automate what you can onboard whatever resources you can and if you can't you can always look for look for alternatives to prove your trust uh like has anybody heard of DNE DNS something authoritative naming something uh we could use DNS instead of certificates because that never breaks looking for alternatives and they

were like hey you could use bad certificates that suck or you could use an even worse thing. It's already the cause of 60% of your network issues, might as well make it the cause of most of your trust issues. So, to kind of wrap up talking about this, uh, if we're thinking about, excuse me, if we're thinking about digital certificates, I mentioned that analogy at the beginning of the driver's license, and that is close, right? If you guys haven't heard of it, it does make sense. I just don't like it. When you go to the DMV to get a driver's license, you give them proof that you are who you say you are and then they

supposedly verify that proof while staring at you like you're interrupting their day and then they give you a document and they mail one to you. Digital certificates work pretty similarly. You go to the certificate authority, you give them the information, they give you a thing. So, it's close. Uh land deeds technically closer mostly because I'm a fan of space fantasy westerns. Uh, and that's just interesting to me. But land deeds aren't really real and they only work if you trust the person that signed it because no one has ever fraudulently given out land before as a country. So, in my opinion, the best analogy for a digital certificate is something that no one is really going to

ask for unless everything goes wrong. Uh, something that proves you did the simple thing. Uh, something that could be used for generic gatekeeping. Uh, and a talk at Bsides. And bonus point, it's something easy to get online for a small fee or for free. Anybody have a a guess at what I what I came up

with? You guys not like guessing. Student ID. I like that for library card because those are kind of made up. A I'm not going to tell everyone to look at you and guess if you're old enough to know what Blockbuster is because that would be embarrassing. But that hurts. I trust the guy with the mustache next to you that says you're not old enough. I just said I trust a guy with a mustache. I'm going to regret that someday. Uh so in my mind, a better analogy for a digital certificate would be a high school diploma because no one cares. And just like a high school diploma, you can easily drop out and take a digital

arts class at your local community center and make your own, maybe even run an entire industry off of digital certificate fakes. Uh, just a couple quick points as I get out of here. The reason why this is something that I care about a lot is because there are a lot of dangers of this. Is very easy to spoof trust with lookalike domains like I talked about earlier. It's also really easy to just use someone else's trust. Third party hosting a site. Uh, anybody hate Shopify for this? How pretty much any site on Shopify is trusted? Because Shopify is trusted by someone. And then the interesting one, uh, is you can actually force that trust through fishing users. You can throw an

RDP file with a trusted public certificate on there from somebody like, I don't know, godaddy.com or let's encrypt, and it would force that connection to the certified resource, which is actually just the attacker's machine. Uh hopefully that's not new to anybody, but if it is, it's a cool thing. It actually works. Uh so some basic protections against that online certificate status protocol and certificate revocation lists. These exist and we can debate their effectiveness, but they technically help. They're there to technically help depending on what level you're at. You can also use a DNS filter, whether it's Adguard if you're small or umbrella if you're huge and want to pay for that. Um, and then there's custom things you

can do using tools like fish tank and urlcan.io. I threw those on there mostly to sp spread awareness. Has anybody heard of uh the fish tank from I think it's Cisco Talis IG. It's a website that's communitydriven that just answers the question, is it a fish? So, if they have the URL, it's probably a fish. URL scan is a more intensive version. But that is all I really got uh for today unless anyone has any cues that I can a uh if you want to connect with me. What do you find any value in auditing your built-in search stores and customizing them to remove some of the pre-approved authorizers? I haven't found any value in auditing it for that reason. I have

found value in auditing developer workstations certificate stores that I would never talk about publicly in a room of people connected to developers. I don't want that. Uh, but there's a digital uh or there's a QR code. If you want to connect, feel free to scan that. You can connect with me. And I've got a silly digital digital certificate certificate if you guys like those things. Uh, and some other stuff. So, that's there. I'm going to give it over to the other people now.

That's so cool.