YetanotherHackerNewsdigest.com
HN Theater | HN Academy | HN Books

HN Theater @HNTheaterMonth

The best talks and videos of Hacker News.
Rankings: this week · month (apr/may) · year (2024) · all time
digests · search

Hacker News Comments on
DEF CON 25 - Hanno Bõck - Abusing Certificate Transparency Logs

DEFCONConference · Youtube · 1 HN comments
HN Theater has aggregated all Hacker News stories and comments that mention DEFCONConference's video "DEF CON 25 - Hanno Bõck - Abusing Certificate Transparency Logs".
Youtube Summary
The Certificate Transparency system provides public logs of TLS certificates. While Certificate Transparency is primarily used to uncover security issues in certificates, its data is also valuable for other use cases. The talk will present a novel way of exploiting common web applications like Wordpress, Joomla or Typo3 with the help of Certificate Transparency.

Certificate Transparency has helped uncover various incidents in the past where certificate authorities have violated rules. It is probably one of the most important security improvements that has ever happened in the certificate authority ecosystem. In September 2017 Google will make Certificate Transparency mandatory for all new certificates. So it's a good time to see how it could be abused by the bad guys.
HN Theater Rankings

Hacker News Stories and Comments

All the comments and stories posted to Hacker News that reference this video.
Interesting timing, considering the talk [0] on this very topic just uploaded to YouTube yesterday morning from DefCon 25. Basically, this is offering his observation (CTL can be used to get a real-time list of new domain names, which can be exploited), as a service.

Seems like Hanno Bõck could at least use a shout out if it was related to his work.

Either way, the talk is worth a watch.

[0] https://www.youtube.com/watch?v=TMNeSnjZfCI&list=PL9fPq3eQfa...

zer01
Interesting! I haven't been able to attend Defcon in the past few years so I haven't seen that talk (or heard of his research), but it's something I've thought about for a while now - using CTLs as a means to jump into the early process of setting up webapps and whatnot.

Thanks for the video!

tty7
Shout out isnt needed, i did the same thing as Hanno over a weekend early this year. Been kicking myself since defcon that i didn't submit a talk!

Anyone who reads the certificate transparency log rfc can quickly realize whats possible.

I've also been following calidog since his first medium post, ive got my own similar cert scanner/tracker.

HN Theater is an independent project and is not operated by Y Combinator or any of the video hosting platforms linked to on this site.
~ yaj@
;laksdfhjdhksalkfj more things
yahnd.com ~ Privacy Policy ~
Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.