Validated CloudFront SSL Domains

Vincent Yiu
Mar 11, 2018 · 2 min read

My blog has moved: https://vincentyiu.co.uk

You may have heard of Domain Fronting, and some of the work that I’ve previously done. https://www.mdsec.co.uk/2017/02/domain-fronting-via-cloudfront-alternate-domains/ or https://medium.com/@vysec.private/domain-fronting-via-cloudfront-alternate-domains-f28b0675e500

Then https://www.peew.pw/blog/2018/2/22/how-i-identified-93k-domain-frontable-cloudfront-domains came along and showed us how to find 93k frontable CloudFront domains. I mentioned to him that not all are validated as they can have invalid certificates.

The benefit of using Domain Fronting is that as far as the victim’s side proxy is concerned, you are making the SSL exchange with the legitimate server you are using as a front. Fantastic.

I’ve kept this private for a long time now, and since someone else has already shown us how to find these domains, I’ve decided to release my list that has been false positive checked with all of the invalid SSL certificate domains removed.

The following script was used to check for SSL issues and that the domain front was infact working:

import ssl, socket, requests, urllib2, syshostname = sys.argv[1]bValid = False
bFrontSSL = False
try:
ctx = ssl.create_default_context()
s = ctx.wrap_socket(socket.socket(), server_hostname=hostname)
s.connect((hostname, 443))
cert = s.getpeercert()
subject = dict(x[0] for x in cert['subject'])
issued_to = subject['commonName']
issuer = dict(x[0] for x in cert['issuer'])
issued_by = issuer['commonName']

bValid = True
except:
bValid = False
#print bValidtry:
txheaders = {"User-Agent":"Mozilla/5.0 (Android 4.4; Mobile; rv:41.0) Gecko/41.0 Firefox/41.0", "Host": "yourinstance.cloudfront.net"}
url = "https://%s/rare.txt" % sys.argv[1]
request = urllib2.Request(url, headers=txheaders)
response = urllib2.urlopen(request).read()
if "ABC123" in response:
bFrontSSL = True
else:
bFrontSSL = False
except:
bFrontSSL = False
if bFrontSSL:
print "[!] SSL Front: %s" % sys.argv[1]

After hosting rare.txt on my CloudFront instance, using the above script, all I had to do was perform the following parallel command to ensure swift checking:

cat fronts.txt | parallel -j 32 "python sslfront.py {} | tee -a output.txt"

Soon, output.txt would be filled with legitimate fronts that would have valid certificates that would be used to encrypt our traffic.

There wasn’t much point in keeping this private any longer as the same domains were already out there.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store