Last week, Betanews reported on the discovery by two university researchers, made at a recent security conference, that security companies often deal with governments that can compel certificate authorities to produce SSL security keys for them. Those keys can then be used to sign certificates as any other Web site, enabling a law enforcement authority -- hypothetically speaking, of course -- to spoof virtually any other site.
Today, Betanews heard from world-renowned security expert Kurt Seifried, author of numerous books on Linux system administration, network security, and cryptography. In the May 2010 issue of Linux Magazine, Seifried reports on his own discovery, which goes one very critical step further: You don't need to be a government, he found, to compel a certificate authority (CA) to issue an SSL certificate for a major Web mail service of your choice. You just need a valid credit card.
"Brief summary: One way to get certificates for domains you don't own: 1) Find a free Web mail provider. 2) Register an account such as ssladmin. 3) Go to RapidSSL.com and buy a certificate. When given the choice of what e-mail address to use, simply select ssladmin. 4) Go through certificate registration process (this takes about 20 minutes). 5) You will now have a secure Web certificate for that Web mail provider," Seifried told Betanews this afternoon.
In his Linux Magazine article, Seifried lists several other permutations of generic-sounding e-mail account names that may be given to the guy in charge of administration, including the obvious postmaster, administrator, and root. In his own tests, Seifried says, it usually took only a half-hour to acquire a perfectly valid certificate for a major Web mail service.
"The industry-accepted standard for confirming someone is who they say they are and that they control a domain is that 'the CA takes reasonable measures to verify,' which is very ambiguous at best and meaningless at worst," reads Seifried's article. "One CA proposed that customers could fax a signed letter on company letterhead as proof that they controlled a domain (Have they not heard of word processors and image editing programs? Or online fax services?). CAs want to sell as many certificates for as little money as they can; if this puts users at risk but doesn't cost the CA anything, then there is no incentive to fix things."
We asked Seifried, what can the general user do to protect himself against a possible authoritative spoof using a false certificate? We didn't like the sound of his answer: "Nothing. User education hasn't worked and won't work...The only reason I know the difference is I investigated this a while back; I've been writing about how broken SSL is off and on for a decade now."
Seifried credits Mozilla Firefox for at least giving the user good visual clues as to the validity of a signed certificate -- for instance, using the color-coded bars next to the HTTPS: address in the upper bar. But ask everyday folks what those colors mean, he said, and they wouldn't be able to tell you. Are there further steps Mozilla, or any other browser maker, could take to make "Trust" more meaningful to the user, and less likely to be something else for him to ignore? "Well there would be one possibility, but it'll never happen, and that would be to boot out all the CAs that don't do a good job verifying domains/etc. and only have root CAs that do a good job," Seifried responded.
"Basically right now, when a CA checks 'ownership' of a domain, it checks one e-mail address, which is trivial to bypass especially with, say, a free Web mail provider," he continued. "If it were to add more checks -- i.e., the CA generates a random string (say an MD5 sum) and requires you to place 8987a978d987e987c978.html or whatever in your webroot at www.yourdomain.com to prove you have control over the Web server as well; and maybe a DNS check, like requiring you to create a DNS record of iugasdcviuoba.yourdomain.com to prove that you have control over the DNS -- that would greatly help, because in that case, you either are a legit domain owner, or the attacker has such a degree of control over your domain that any checks won't matter. The funny thing is, Google used to do this for some of its services like Google Analytics. Also making the e-mail check more stringent -- i.e., only e-mail_address@the domain listed in WHOIS, or well-known and typically controlled e-mail address such as postmaster@, would also help greatly.
"But then buying a certificate would take time and the verification process would fail more often (waiting for DNS propagation/etc.), so it's very unlikely to happen. Once you get a certificate in the root CA store, you basically have a license to print money."