EFF uncovers further evidence of SSL CA bad behavior

Filed Under: Data loss, Privacy, Vulnerability

EFF logoIn the wake of the Comodo SSL Certificate Authority (CA) having been compromised by an Iranian hacker the Electronic Frontier Foundation published more evidence of problems in the SSL signing industry.

While many were critical of Comodo's hard coding passwords into public facing code and using their root certificate to sign certificates, now there is more evidence of industry-wide lax practices.

Chris Palmer wrote a blog on Tuesday outlining work the EFF had done analyzing the quantity of certificates that were signed and trusted by all of our browsers that were technically invalid and could be used for fraud.

The particular practice the EFF was looking for was the signing of certificates that did not contain fully-qualified domain names.

To obtain verification of your identity for the CA to sign a certificate, the certificate must contain something that globally only you could be identified by.

Sophos SSL certIf I try to get a certificate for just plain www, I should be rejected. Yet if I try to purchase secure.sophos.com, you could verify that I am allowed to represent Sophos, and that this certificate would not be valid for any other organization.

So what did the EFF find? They found that certificate authorities have signed over 37,000 certificates that are not specific to any organization, they contain only a hostname. The worst offender was GoDaddy.com.

Each and every one of these could be used to impersonate some local server on your intranet by an intruder...

Wait! It gets worse.. 28 Extended Validation certificates were issued in this manner.. 10 of which are still valid. What is Extended Validation? Wikipedia states three specific conditions must be met:

1. Establish the legal identity as well as the operational and physical presence of website owner.

2. Establish that the applicant is the domain name owner or has exclusive control over the domain name.

3. Confirm the identity and authority of the individuals acting for the website owner, and that documents pertaining to legal obligations are signed by an authorised officer.

Most of the wrongly issued EV certificates were issued by Verisign, including one they signed for themselves.

Verisign certificate issued to themselves for an unqualified host

While I hope that the awareness being raised by the EFF report shakes up the certificate industry, I have a feeling the lack of verification in the way certificates are being issued may just be the beginning of the problems.

While it is nice to see a padlock in your browser, or know that your new Twitter widget is using encryption over the air/wire, it doesn't mean much if certificates are being issued that compromise the entire system.

At the moment little can be done by end users about this problem. As a community we need to continually apply pressure on the industry to make meaningful changes to the process to make the best of the transitive trust model that we currently possess.

One thing companies can do for their internal web assets is to get away from using just hostnames like intranet, webmail and wiki for their web services. Sticking to fully qualified internal domains (webmail.sophos.local) helps mitigate exploitation through these invalidly issued certificates.

, , ,

You might like

One Response to EFF uncovers further evidence of SSL CA bad behavior

  1. Nik · 1109 days ago

    Problem is the security industry has for years been saying "look for the padlock" without explaining that the padlock just inidcates you have some protection against interception/MITM. It says very little about the trustworthiness of the other end (for example in UK I could buy a legit limited company, get an EV cert and then set up some fraudulent site).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.