Hello, welcome to the Wednesday, March 4, 2020 edition of the Sansonet Storm Center's

Stormcast. My name is Johannes Ulrich. And today I'm recording from Jacksonville, Florida.

In diaries today, we have a guest diary by Ahmed, and he's going over one of Eric Zimmerman's tool

Event Explorer. Real nice tool to work your way through Windows Event Logs,

essentially a parser for it, and then Ahmed shows you a little bit how to use this with a couple of quick examples.

I think it was just yesterday that I mentioned that Let's Incript had issued a billion different

certificates to date. Well, sadly, Let's Incript has to revoke a few million of them now due to

a buck and how it checked for the CAA, the Certific Authority authorization record in DNS.

First of all, what is the CAA record?

I don't really see it used a lot, but it's kind of interesting.

With a CAA record in D&S, you can indicate which certificate authorities are authorized to issue certificates

for your domain. And certificate authorities have to check that record. If it's not present,

no big deal. All certificate authorities will be able to give you a certificate. If it is present,

then only set of authorities listed in the record are able to give you a certificate. If it is present, then only set of authorities listed

in the record are able to issue certificates. So if all of your certificates come from Komodo,

you could add Komodo to give your CIA record and then Let's Encrypt would refuse to issue

certificates. This kind of prevents an attacker to go to a different certificate authority.

You have to go to set of authority shopping until they find one that validates their certificate.

Now, the mistake that Let's Encrypt made was whenever they verified that you own the domain,

they also verified that Let's Encrypt

was allowed to issue the certificate based on the CIA record. But the mistake Let's Encrypt made is

they didn't check again when they actually issued the certificate later. And according to the standard,

...