Tracking SSL Certificates

Published: 2015-12-01
Last Updated: 2015-12-01 09:26:05 UTC
by Xavier Mertens (Version: 1)
3 comment(s)

More and more online services (not only websites) have switched to "SSL" for a while and, if it increases the end-user security, sometimes it's a pain for security peeps who have too perform investigations or control (yes, it may happen also). During the last edition of BruCON, I collected certificates over the wire. It's easy to do via a tool like Bro which has this feature built-in. To enable it, just change your local.bro configuration file:

# Log certs per Seth
@load protocols/ssl/extract-certs-pem
redef SSL::extract_certs_pem = ALL_HOSTS; 

And restart your Bro process:

# broctl

Welcome to BroControl 1.4

Type "help" for help.

[BroControl] > install
removing old policies in /nsm/bro/spool/installed-scripts-do-not-touch/site ... done.
removing old policies in /nsm/bro/spool/installed-scripts-do-not-touch/auto ... done.
creating policy directories ... done.
installing site policies ... done.
generating standalone-layout.bro ... done.
generating local-networks.bro ... done.
generating broctl-config.bro ... done.
updating nodes ... done.
[BroControl] > status
Name       Type       Host       Status        Pid    Peers  Started            
bro        standalone localhost  running       4544   0      30 Nov 13:34:01
[BroControl] > restart
stopping ...
stopping bro ...
starting ...
starting bro ...
[BroControl] > exit

The new interesting log is called certs-remote.pem and will quickly be populated. The problem is that all certificates are stored in one big file.  We can split them in <number>.pem files using the following awk command:

$ awk '
split_after == 1 {close(n".pem"); n++;split_after=0}
/-----END CERTIFICATE-----/ {split_after=1}
print > n".pem"}' <certs-remote.pem

From the traffic collected during BruCON, I extracted 3811 certificates. The next step is to extract the URLs related to them:

$ for i in *.pem
do openssl x509 -in $i -text -noout | 
    grep DNS:|
    awk '{ print $1}'|
    awk -F ':' '{ print $2 }'|
    sed 's/,$//'
done | sort -u >domains.tmp

The command above extracted 2139 unique URLs (FDQN or wildcards) visited by BruCON attendees. Keeping an eye on SSL certificates can be interesting to track suspicious activity and also to keep an eye on which websites were visited by your users in a passive way. They also contain a lot of interesting information that could be useful during future investigations. Have also a look to the Passive SSL project supported by (the Luxembourg CERT).

Xavier Mertens
ISC Handler - Freelance Security Consultant

3 comment(s)


This certainly could be a useful addition to existing logging. The existing logging should be recording the cert signature to support the addition of a cert database.

Keep in mind deriving URLs visited from certificates is less accurate due to flawed usage (mostly in HTTPS), but finding flawed usage becomes possible. Users conditioned to flawed usage in HTTPS are likely to be duped into accepting certificate anomaly in malicious circumstances.

This would also support searches for such anomalies and investigating possible malicious intent behind the anomaly. Or as I have seen some really poor usage such a bank outsourcing their online account access resulting in redirection to the provider, but at least the provider is using an EV cert. When notified, said bank brushed off the possibility their customers are being conditioned for a malicious actor dupe them into revealing their account credentials.
A report of sites with non-unique certificate fingerprints that aren't expired would be cool.
A proxy supporting SSL decryption is ideal if you have that kind of network control.
I am running Bro on Security Onion and followed these instructions.

Everything seems to be working as described and certs are being extracted to a single file but that file is in the /nsm/bro/spool/[hostname-interface name] directory.

Is there any way to have Bro break up the certs-remote.pem files each day and store them with the other logs in the /nsm/bro/logs/[date] directories?

Diary Archives