Leveraging Certificate Transparency to Mitigate Downgrade Attacks

Abstract:

Despite the widespread adoption of TLS to secure many protocols such as the web, DNS, and email, downgrade attacks remain a significant vulnerability—particularly when clients opportunistically fall back to unencrypted communication. To address this, we propose leveraging Certificate Transparency (CT) as a verifiable source of truth regarding a server’s security capabilities. Specifically, we introduce a custom X.509 certificate extension that explicitly declares a server’s supported protocols, ports, and TLS versions. This information enables clients to detect downgrade attacks. To assess the feasibility of our approach, we conducted a measurement study of DNS-over-TLS, DNS-over-HTTPS, and SMTP servers. Our results show that the vast majority of certificates are already logged in CT logs. Building on this, we propose a CT oracle that aggregates data from all CT logs to provide a reliable and comprehensive view of certificates.

Bio:

Taekyoung (Ted) Kwon is a professor with the Department of Computer Science and Engineering, Seoul National University (SNU) since 2004. Before joining SNU, he was a Postdoctoral Research Associate at University of California Los Angeles and City University New York. He obtained BS, MS and PhD at SNU in 1993, 1995, 2000, respectively. During his graduate program, he was a visiting student at IBM T. J. Watson Research Center in 1998 and at University of North Texas in 1999, respectively. He was a visiting professor at Rutgers University in 2010 and at University of Florida in 2017. His research interest lies in Internet architecture, network security, online privacy, and trustworthy Internet.