In this chapter, we are going to focus on two main topics: Certificate Transparency and Internet archives (e.g., Wayback Machine and search engine caches). We will look at how they can all be used to further an investigation of a site's owner through the use of WHOIS data, or by being able to look at and reference older copies of a site.

Certificate Transparency

Certificate Transparency (CT) is a Google‐led, open‐source effort to provide auditing and monitoring of TLS/SSL server certificates issued by Certificate Authorities (CAs). The general idea behind CT is to mitigate the threat of malicious hackers impersonating a website (i.e., man‐in‐the‐middle [MITM] or phishing attacks) due to use of stolen or forged SSL certificates.

Prior to Certificate Transparency, whenever a user visited a website using a fake SSL certificate, the site appeared “normal” to the web browser, which had no way to determine whether the SSL certificate was valid (or generated by the correct party).

In one case, a prominent Dutch Certificate Authority (DigiNotar) was compromised, allowing hackers to use their systems to generate fake SSL certificates. Those certificates were used to impersonate a number of sites including Gmail and Facebook. Because the phishing sites appeared legitimate, the MITM attacks were successful, allowing the hackers to spy on users and steal their information.