Disclosing the private key in this blog post was extremely irresponsible. Although the certificate has been revoked, revocation basically doesn't work[1], so for practical purposes this key will usable for MitM until it expires on Mar 19, 2016. Hopefully browser vendors will push out updates that explicitly blacklist it (Chrome is pretty proactive about this, not sure about other browsers), but that won't help non-browser clients or users running out-of-date browsers.
If you ever do this, please, please destroy the private key immediately. There are other ways to prove you had possession of it, such as by signing something with it.
Btw, is there any reason why CRLs are not widely published via DNS (https://tools.ietf.org/html/rfc4398)? It would lower the costs associated with distribution of CRLs...
Personally, I am for an overridable hard-fail option for OCSP, which should not be the default for now. What I want is an actual interstitial with an override option, because it will show before the HTTP request is sent.
It's more like the way domain ownership is validated is awful. If the only way to validate domain ownership was to ask the domain owner to create a TXT entry, with both the entry name and its contents being nonces chosen by the certificate authority, it would be much harder to do these attacks (one would have to be able to MITM between the certificate authority and the domain's DNS servers, or compromise the DNS servers).
I strongly disagree. We need to move towards using TLS everywhere and part of doing that is making it easy for everyone to get a cert. You can validate domain control through DNS / whois records instead of the standard group of admin email address.
The linked post talks of phone verification, but we know GSM networks don't use strong cryptography and stationary phones aren't better secured either. Do you perform any additional verification? I'd want to see use of government issued personal certs for this purpose, surprised even that this isn't commonplace.
Of all the CAs my browser trusts, any single one of them can compromise the entire web by fucking up and issuing bad certificates.
I have no say in which CAs I "trust", since my list has to match the list that site owners pick from. Site owners have no benefit from picking better CAs on the list over worse CAs also on the list, because my browser trusts them the same.
How could anyone think this is a good system!?
[Edit: and yeah, things like cert pinning can mitigate the damage a bit. That's not enough to make a bad idea suddenly a good idea, and it only took approximately forever to start being implemented.]
The idea, as far as there is one, is that if a CA does fuck up for real, then they get revoked and are out of business. But the Comodo "let's trust resellers to validate" didn't have any impact (and I get 2-8 calls s week from em often).
Browsers might consider showing the country of the registrar, in the UI. So if I ever connect to a Canadian or US domain, and the registrar is some totally unrelated country, I could be alarmed. OTOH this might just end up confusing people even more.
If users had and at least some exercised control over trusted CAs, at least to the extent of disabling if not adding, then site owners should have an incentive to choose better CAs, since worse CAs would be disabled by security-conscious users.
When another Dutch ISP launched in 1998, I was able to register the root@ email address and a friend of mine got info@. It took them over one year to figure out that they might want to take those away from us.
Surprising to hear that this is still possible all those years later, especially with an ISP like xs4all.nl. Those guys always had a good reputation, security-wise. I see they still have the tradition that you get an apple pie for responsible disclosure (https://www.xs4all.nl/over-xs4all/beleid/responsibledisclosu...). So bon appetit!
CRLSet 2140 contains a public-key block for this. If you're on desktop Chrome you can go to chrome://components and check for a CRLSet update manually. If you're testing it, note that Chrome caches certificate validity results for a while so you might need to restart Chrome to see the effect.
Is there any way to discover a list of SSL certs that have been issued for a domain?
The problem here is, once someone has shown that they could receive emails for administrator@yourdomainname, you have no idea how many SSL certificates they bought, and from which CAs.
Even if they publish a blog post about it and show you a certificate, surely your domain is now compromised? You can revoke that certificate, but how do you know that was the only one they obtained?
From this point on, all you know is that your domain name is potentially compromised and there's nothing you can do to fix it...
Imo the problem is of the issuer. They only opens holes by doing this kind of things. Imagine if you already secured the [email protected] and tomorrow the issuer thinks that [email protected] could be used for validation. Now what, you should keep up with their updates every hour?
This is why self-signed certificates are more secure than CA-signed certificates. When you expand the trust model to include three parties rather than two, it gets much more complex and vulnerable.
If I see a self-signed certificate from CitiBank, I know that the counterparty claims to be CitiBank. That's all I know. When I receive a Verisign-signed certificate from CitiBank, I know a party claiming to be Verisign claims that the counterparty is CitiBank. That doesn't realistically help me much.
Many email systems don't exactly support unicode usernames in the first place, and provisioning systems will just send to administrator@ ([a-z]). It's not "enter your own email", you just get to pick from a variety of emails to provision a cert like admin@, ssladmin@, postmaster@, and the whois email.
there's no reason having a cert should prevent you from registering another one, afaik. There are plenty of reasons you might legitimately want to do that, and running the certpatrol firefox extension shows that lots of sites change cert (and even issuer CA) fairly regularly.
I think it's Old Webmaster Lore that there exist roughly ten email addresses which are Widely Considered To Be Special. abuse@, postmaster@, and administrator@ are three of them.
There exist a lot of systems in the world which rely on this being true, irrespective of whether it is in fact true.
Email is an incredibly common method for domain validated certificates. The other common options are a TXT/CNAME record or uploading a specific file to a certain URL.
The requirements for domain validation are:
11.1.1 Authorization by Domain Name Registrant
For each Fully-Qualified Domain Name listed in a Certificate, the CA SHALL confirm that, as of the date the
Certificate was issued, the Applicant (or the Applicant’s Parent Company, Subsidiary Company, or Affiliate,
collectively referred to as “Applicant” for the purposes of this section) either is the Domain Name Registrant or has
control over the FQDN by:
1. Confirming the Applicant as the Domain Name Registrant directly with the Domain Name Registrar;
2. Communicating directly with the Domain Name Registrant using an address, email, or telephone number
provided by the Domain Name Registrar;
3. Communicating directly with the Domain Name Registrant using the contact information listed in the
WHOIS record’s “registrant”, “technical”, or “administrative” field;
4. Communicating with the Domain’s administrator using an email address created by pre-pending ‘admin’,
‘administrator’, ‘webmaster’, ‘hostmaster’, or ‘postmaster’ in the local part, followed by the at-sign (“@”),
followed by the Domain Name, which may be formed by pruning zero or more components from the
requested FQDN;
5. Relying upon a Domain Authorization Document;
6. Having the Applicant demonstrate practical control over the FQDN by making an agreed-upon change to
information found on an online Web page identified by a uniform resource identifier containing the FQDN;
or
7. Using any other method of confirmation, provided that the CA maintains documented evidence that the
method of confirmation establishes that the Applicant is the Domain Name Registrant or has control over
the FQDN to at least the same level of assurance as those methods previously described.
Proving ownership by sending email to the contacts in the WHOIS record is the _only_ way I've seen for the cheapest certificates. What other ways are you thinking of, and can you point to any CAs that do them (for their cheapest certificates)?
[+] [-] agwa|11 years ago|reply
If you ever do this, please, please destroy the private key immediately. There are other ways to prove you had possession of it, such as by signing something with it.
[1] https://www.imperialviolet.org/2014/04/29/revocationagain.ht...
[+] [-] mdewinter|11 years ago|reply
[+] [-] excel2flow|11 years ago|reply
[+] [-] yuhong|11 years ago|reply
[+] [-] ivanr|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] nailer|11 years ago|reply
Domain validated SSL was always a bad idea. Disclaimer: I sell EV SSL validation.
[+] [-] cesarb|11 years ago|reply
It's more like the way domain ownership is validated is awful. If the only way to validate domain ownership was to ask the domain owner to create a TXT entry, with both the entry name and its contents being nonces chosen by the certificate authority, it would be much harder to do these attacks (one would have to be able to MITM between the certificate authority and the domain's DNS servers, or compromise the DNS servers).
[+] [-] driverdan|11 years ago|reply
I strongly disagree. We need to move towards using TLS everywhere and part of doing that is making it easy for everyone to get a cert. You can validate domain control through DNS / whois records instead of the standard group of admin email address.
[+] [-] mukyu|11 years ago|reply
[1] http://arstechnica.com/security/2015/03/bogus-ssl-certificat...
[+] [-] RaleyField|11 years ago|reply
The linked post talks of phone verification, but we know GSM networks don't use strong cryptography and stationary phones aren't better secured either. Do you perform any additional verification? I'd want to see use of government issued personal certs for this purpose, surprised even that this isn't commonplace.
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] tbrownaw|11 years ago|reply
I have no say in which CAs I "trust", since my list has to match the list that site owners pick from. Site owners have no benefit from picking better CAs on the list over worse CAs also on the list, because my browser trusts them the same.
How could anyone think this is a good system!?
[Edit: and yeah, things like cert pinning can mitigate the damage a bit. That's not enough to make a bad idea suddenly a good idea, and it only took approximately forever to start being implemented.]
[+] [-] MichaelGG|11 years ago|reply
Browsers might consider showing the country of the registrar, in the UI. So if I ever connect to a Canadian or US domain, and the registrar is some totally unrelated country, I could be alarmed. OTOH this might just end up confusing people even more.
[+] [-] dragonwriter|11 years ago|reply
[+] [-] rgj|11 years ago|reply
Surprising to hear that this is still possible all those years later, especially with an ISP like xs4all.nl. Those guys always had a good reputation, security-wise. I see they still have the tradition that you get an apple pie for responsible disclosure (https://www.xs4all.nl/over-xs4all/beleid/responsibledisclosu...). So bon appetit!
[+] [-] jacquesm|11 years ago|reply
[+] [-] agl|11 years ago|reply
[+] [-] agl|11 years ago|reply
[+] [-] joosters|11 years ago|reply
The problem here is, once someone has shown that they could receive emails for administrator@yourdomainname, you have no idea how many SSL certificates they bought, and from which CAs.
Even if they publish a blog post about it and show you a certificate, surely your domain is now compromised? You can revoke that certificate, but how do you know that was the only one they obtained?
From this point on, all you know is that your domain name is potentially compromised and there's nothing you can do to fix it...
[+] [-] ivanr|11 years ago|reply
[1] http://www.certificate-transparency.org/
[+] [-] vbezhenar|11 years ago|reply
[+] [-] hackhat|11 years ago|reply
[+] [-] est|11 years ago|reply
Hell even something as broken as DNS has one and only one place to find each domain's authoritative SOA record
[+] [-] bandrami|11 years ago|reply
If I see a self-signed certificate from CitiBank, I know that the counterparty claims to be CitiBank. That's all I know. When I receive a Verisign-signed certificate from CitiBank, I know a party claiming to be Verisign claims that the counterparty is CitiBank. That doesn't realistically help me much.
[+] [-] lucio|11 years ago|reply
[+] [-] dylz|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] mdewinter|11 years ago|reply
[+] [-] yuhong|11 years ago|reply
[+] [-] witty_username|11 years ago|reply
[+] [-] shabble|11 years ago|reply
[+] [-] smt88|11 years ago|reply
Even from the early days of email, it has never been the case that a majority of a domain's email addresses were assigned to owners of the entity.
That is just absolutely insane.
[+] [-] patio11|11 years ago|reply
There exist a lot of systems in the world which rely on this being true, irrespective of whether it is in fact true.
[+] [-] mukyu|11 years ago|reply
The requirements for domain validation are:
11.1.1 Authorization by Domain Name Registrant For each Fully-Qualified Domain Name listed in a Certificate, the CA SHALL confirm that, as of the date the
Certificate was issued, the Applicant (or the Applicant’s Parent Company, Subsidiary Company, or Affiliate, collectively referred to as “Applicant” for the purposes of this section) either is the Domain Name Registrant or has control over the FQDN by:
1. Confirming the Applicant as the Domain Name Registrant directly with the Domain Name Registrar;
2. Communicating directly with the Domain Name Registrant using an address, email, or telephone number provided by the Domain Name Registrar;
3. Communicating directly with the Domain Name Registrant using the contact information listed in the WHOIS record’s “registrant”, “technical”, or “administrative” field;
4. Communicating with the Domain’s administrator using an email address created by pre-pending ‘admin’, ‘administrator’, ‘webmaster’, ‘hostmaster’, or ‘postmaster’ in the local part, followed by the at-sign (“@”), followed by the Domain Name, which may be formed by pruning zero or more components from the requested FQDN;
5. Relying upon a Domain Authorization Document;
6. Having the Applicant demonstrate practical control over the FQDN by making an agreed-upon change to information found on an online Web page identified by a uniform resource identifier containing the FQDN; or
7. Using any other method of confirmation, provided that the CA maintains documented evidence that the method of confirmation establishes that the Applicant is the Domain Name Registrant or has control over the FQDN to at least the same level of assurance as those methods previously described.
Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.2.3 https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] justinsb|11 years ago|reply