Thread by @mattiasgeniar, A while back, I learned you can include expired root certificates in [...]

A while back, I learned you can include expired root certificates in your certificate chain on your webserver, and the browser won& #39;t make a fuzz.

So ...

What else could you stuff in there?

https://abs.twimg.com/emoji/v2/... draggable="false" alt="😈" title="Smiling face with horns" aria-label="Emoji: Smiling face with horns">

Long-form: https://ma.ttias.be/certificate-chain-stuffing/

Below,">https://ma.ttias.be/certifica... a thread!

https://abs.twimg.com/emoji/v2/... draggable="false" alt="👇" title="Down pointing backhand index" aria-label="Emoji: Down pointing backhand index">

What else can you stuff in a certificate chain?

I recently learned that quite a few (old) root certificates are going to expire, and many websites still send those along in the TLS handshake.

https://ma.ttias.be/certificate-chain-stuffing/

The tl;dr: of how certificates work:

Your computer/server comes with a set of root certificates that it trusts, and every certificate will be validated against one of those root certificates.

Usually, there’s a certificate in between, called an intermediate, that chains the SSL certificate of a website, through that intermediary certificate, to the root certificate.

Some websites send along a very old root certificate to their clients.

What if instead of just *one* root certificate, we include - say - 82 root certificates in the chain?

https://abs.twimg.com/emoji/v2/... draggable="false" alt="😈" title="Smiling face with horns" aria-label="Emoji: Smiling face with horns">

To test this, I modified my @caddyserver and instead of using its internal Let’s Encrypt mechanism, I supplied it my own (self-signed) certificate.

The certificate.crt file contains a random selection of 82 other root cert: https://gist.github.com/mattiasgeniar/f5ebf8e9833b37aa5a5af58b1cfc5f43">https://gist.github.com/mattiasge...

The certificate.crt now weights 132KB in size as opposed to the lean 1.9KB it was before.

And when I reload the webserver … it still just works!

Why limit it at 83 certs? Well, it& #39;s sort-of random, but there& #39;s a limit to how many certs will be parsed client-side.

In practice, openssl (and curl& #39;s implementation) parses around ~80 certificates. After that, it throws "routines:CONNECT_CR_CERT:excessive
message size" errors.

This experiment lead to an observation: both Chrome and Firefox’s network inspector do not show the network traffic generated by the certificate exchange.

If a browser sends 1 certificate or 83, the total network size remains the same in the inspector.

What’s the performance impact?

To be fair, it’s quite small. I would have expected a substantial increase in the time spent in TLS-negotiation, but that’s not really the case.

I added ~80 certs around 2PM. Things slow down, but not by much.

What can you do with this newly gained knowledge of stuffing extra certs in chains?

Not much I guess ¯\_(ツ)_/¯

I have some ideas for CTF& #39;s or data extraction techniques, if you& #39;re interested - read the longer blogpost!

Peace out

https://abs.twimg.com/emoji/v2/... draggable="false" alt="🤙" title="Call me hand" aria-label="Emoji: Call me hand"> #what-can-you-do-with-this">https://ma.ttias.be/certificate-chain-stuffing/ #what-can-you-do-with-this">https://ma.ttias.be/certifica...

What else can you stuff in a certificate chain?

I recently learned that quite a few (old) root certificates are going to expire, and many websites still send those along in the TLS handshake.

https://ma.ttias.be/certificate-chain-stuffing/#what-can-you-do-with-this

Latest Threads Unrolled: