In-brief: Carnegie Mellon’s CERT issued a warning that many certificate authorities continue to issue domain certificates with no more proof than the right e-mail address. Updated to include comment from GlobalSign. Paul 3/27/2015
Hardly a day goes by without some kind of “gives you shivers” story about the crucial – and brittle system we rely on for proving identity online. The latest comes by way of Carnegie Mellon’s CERT, which issued a Vulnerability Note on Friday that gently reminded the world that many leading certificate authorities still issue SSL certificates for web domains based on little more proof of ownership than an e-mail address.
In a Vulnerability Note on Friday, CERT reiterated that, warning that “Multiple SSL certificate authorities may issue certificates to a customer based solely on the control of certain email addresses. This may allow an attacker to obtain a valid SSL certificate to perform HTTPS spoofing without generating a warning in the client software.”
At issue is the role of certificate authorities as trust brokers online. Individuals who access an encrypted web site that uses SSL or TLS assume that the certificate provided by the web server in question was issued root certificate authority (CA) that is trusted. The basis of that trust is the belief that the CA has verified the identity of the domain owner it is vouching for.
Domains (such as Security Ledger) that use Extended Verification (or EV) certificates provide a number of documents as proof of their identity prior to receiving their certificate. However, root CAs and web browsers also recognize the concept of “domain-authenticated” or similarly-named SSL certificates. These certificates can be issued with “minimal proof of domain ownership,” CERT notes. And, by “minimal proof,” CERT means an e-mail address from the domain in question. Certain email addresses like “hostmaster@[domain]” are recognized in documents like RFC2142. Others include “admin,” “administrator,” “webmaster,” and “postmaster.” But CERT has observed that some root CAs expand that list even further, to include “ssladministrator”and other accounts.
CERT said that it didn’t know of a “comprehensive list of email addresses accepted for domain-authenticated SSL certificates.” CERT noted that some SSL resellers – like BuyHTTP– list additional email addresses that can be used for email authentication for SSL certificate purchases.
While Web browsers use visual queues to identify EV certificates, they make no note of domain-authenticated certificates and fully-authenticate certificates that were obtained through additional validation, CERT notes.
The security implications are obvious, CERT notes. “Domains of sites that are used for email purposes are at increased risk. If a user can register the email address of any one of the available addresses accepted by a single root CA for the purpose of domain-authenticated SSL certificates, then that user may be able to purchase a valid SSL certificate for that domain.”
An attacker who can obtain a certificate for a domain that somebody else own can then spoof HTTPS sites and intercept HTTPS traffic without triggering client certificate warnings from browsers.
The problem isn’t uncommon. Among the affected certificate authorities listed in CERT’s vulnerability alert are household names including COMODO Security Solutions, Inc., Entrust, GeoTrust, GlobalSign and GoDaddy.
For now, CERT advises sites that provide email accounts to users to restrict the ability to create email accounts that are trusted by root CAs. Among the email addresses that should be restricted are: admin, administrator, webmaster, hostmaster, and postmaster, root, ssladmin, info, is, it, mis, ssladministrator, and sslwebmaster.
Alas, there’s no easy fix for the problem, short of wholesale policy changes in the domain certificate authority space.
Doug Beattie, the Vice President of Product Management at GlobalSign (and holder of the patent for the domain control system) noted that the problem isn’t limited to domain-validated certificates. Extended verification certificates reference the same set of criteria for associating domains with domain owners.
But Beattie, who represent’s GlobalSign on the CA/Browser Forum said the issue has not come up among members there.
Accounts that use one of the email prefixes that is recognized for domain verificationshould be disabled. But CERT cautions that the above list isn’t exhaustive. “There may be at least one root CA that supports at least one additional email address as proof of domain ownership,” the alert warns.