Bucket Stream: Finding S3 Buckets by watching certificate transparency logs

[ceejayoz]

I'm confused. Aren't S3 buckets secured by pre-existing wildcard certs?

[tptacek]

Ignore any direct connection between S3 buckets themselves and particular certificates, and just think of the stream of domain names you get from CT as the seed for a dictionary to grind against S3.

[mynewtb]

But why do we get those domain names if there (supposedly) is an existing wildcard certificate?

[simcop2387]

To put the s3 bucket under another domain. Such as static.example.com instead of abcdef01123451523245.s3.amazon.com (or whatever it is).

[helper]

The code takes the CT hostname and tries to access a bunch of different buckets that might exist related to that hostname. So if you get a cert for foo.example.com it will ask s3 if foo.example.com.s3.amazonaws.com and www-foo.example.com.s3.amazonaws.com exist.