Easy-to-get Web certs undermine online trust

Despite certificate authorities tightening security and authenticating measures in recent years, there are still weaknesses in the issuance process due to "commercial pressures", says security expert.
Written by Kevin Kwang, Contributor

Get ready a credit card and a free Web mail account that is registered as "ssladmin". Go to a certificate authority (CA), such as VeriSign's RapidSSL. Now, register online for a secure Web certificate for a domain that may not necessarily be owned by the registrant.

This simple process of attaining a legitimate Web security certificate is a security flaw made known and described in detail by security expert, Kurt Seifried, in a March report on blog site Betanews.

It's not a new security concern, either, according to Jeffery Kok, a strategic solutions consultant at RSA, the security division of EMC. In an e-mail interview with ZDNet Asia, he said this is a "well-recognized problem" that security practitioners have known for a "fairly long time".

"The commercial pressures [faced by CAs] led some of these companies to introduce 'domain validated (DV) only' SSL certificates, for which minimal verification is made of the details in the certificate," Kok elaborated.

Another industry player gave further insight into the CA industry. VeriSign's vice president Tim Callan said that, broadly speaking, there are three different types of certificates in the market--extended validation (EV), which has a very high level of authentication; organizationally validated (OV); and DV.

According to Callan, the certificate Seifried mentioned is of the DV variety, which simply requires proof of ownership of selected administrative e-mail aliases for the domain, such as the Web master's alias.

"In [this] respect, DV certificates could be considered the easiest type of certificate to obtain," he added in his e-mail to ZDNet Asia.

Fellow CA, Go Daddy, also chimed in, with its CIO Neil Warner telling ZDNet Asia that there are certain CAs using authentication mechanisms with "known weaknesses" that need to be addressed.

"This particular mechanism of obtaining a certificate via a Web mail provider is one that was exploited a few years back and we're disappointed to see one of our competitors is still vulnerable to this type of attack," he said.

According to Bjorn Vermo, quality assurance lab manager at Opera Software, the issuance of DV certificates does not guarantee anything about the Web site's owner. It merely certifies that the buyer of the certificate has control of the domain, he added.

"Since some CAs are vetting their applicants properly and some are not, it is up to the [browser operators] to decide which CAs they will accept in their rootstore," said Vermo.

Restoring lost trust
It was with this problem in mind that the CA and Web browser community came together to form the voluntary organization, CAB (Certificate Authority/Browser) Forum, to tackle the issue, according to RSA's Kok.

He went on to note that the EV certificates standard was put together and introduced for use by the Forum, with the intention to "restore the lost confidence" among users that a Web site operator is a legally-established business or organization with a verifiable identity.

This standard, as well as other safeguards, is why Go Daddy's Warner thinks there is no need for stricter regulation on CAs.

The CIO said that there are regular audits on CAs of their practices, conducted either by WebTrust or other similar standards authorities, and these audits verify that CAs are operating in compliance with the industry's best practices.

"The CAB Forum is [also] working to create a set of guidelines that cover all SSL certificates, not just EV, and address problematic vetting practices like the one exploited by Seifried," revealed Warner who added that this process would take time to establish.

PKI is not outdated
When asked if these problems were appearing due to an aging public key infrastructure (PKI), which has been the primary framework for online security since the 1970s, Opera's core developer Yngve Nysaeter Pettersen disagreed.

He noted that the DV certificate exploitation is mostly an implementation problem of the system. In this instance, the Web mail service in question also aided in the creation of the problem.

As for whether it was time to replace the PKI framework, Pettersen said the current system is the only one that can be scaled to the number of Web sites and users on the Internet today, and the system is also legislated in many countries.

"Anything that can replace PKI will require building and testing a completely new infrastructure, which is going to take a long time of more than 10 years. It will also have its own security problems that can be at least as serious as the ones we've discussed," he pointed out.

"Until such a new system is in place and functioning, the current system will have to be patched as needed, which is the same for any complex system."

Editorial standards