1. What is it?
SSL certificate audit is a new feature available for Enterprise customers which runs tests to detect phishing and null prefix attacks. The main goal is to provide you with a detailed overview of your assets, as well as an information who is the certificate issuer so that you can be sure no fraudulent certificates are being issued, and if they are - react on time and prevent your users from being tricked by them.
2. How does it work?
The audit is based on analysing publicly available records from SSL transparency logs and searching for certificates issued for malicious domains that look similar to your domain.
The current feature is only looking for the newly issued or updated certificates coming from the Certificate Log Update Stream (it is not looking for e.g. Certificate Revocation Lists). We use https://certstream.calidog.io/ to listen to a real time stream of logs.
a). In the first place, our Certificate Monitor listens in to all the incoming certificates.
b). Next, the Certificate Matcher cross-validates the incoming certificates with the client's existing assets and checks if any certificate is issued to any subdomain of existing domains. Once the certificate has been found and it matches the existing subdomain, it is used to populate the Asset Inventory information.
c). The Certificate Audit component checks for the vulnerabilities. In the current release the Certificate Transparency Tests focus on:
Null prefix attacks
The future releases will include subcategories of phishing attacks: typo- and bitsquatting attacks.
3. Certificate Transparency Tests in detail:
a). Null prefix attack: 00 (\0) is added to the domain name to mask remaining content
Example: certificate issued to detectify.com\0.example.com would be recognised as valid for detectify.com
b). Phishing attack: domain name is similar to existing domain name
homoglyph (e.g.: detectify.com or xn--dtectify-c8g.com)
TLD difference (e.g.: detectify.org)
name similarity using Levenshtein comparison (e.g.: detictify.com)
4. How to turn the feature on?
The Autodiscovery part is already running in the background - the findings will keep populating your Asset Inventory view.
The Cert Auditor vulnerability check is something you opt in for - it can be enabled or disabled in your Asset Monitoring Advanced Settings:
Go to the Asset Inventory and select your scan profile. You will then be forwarded to your Asset Overview where in the top right corner you will see the Asset Monitoring Advanced Settings.
SSL Certificate Audit is off by default, use the toggle switch to turn it on.
5. Where can you see the findings?
Domains that have been autodiscovered by Cert Matcher will be visible in your Asset Inventory.
Findings produced by Cert Audit will be visible in your Asset Monitoring Results.