Porn News

Electronic Frontier Foundation: CAs Issuing SSL Certificates to Unqualified Domains

from – In a report issued this week, online watchdog group the Electronic Frontier Foundation said that certificate authorities are issuing SSL certificates for unqualified domains in large numbers, a practice that the report’s author Chris Palmer says could impact the integrity of the whole SSL system, and puts Internet users at increased risk of attack.

Certificate authorities, says Palmer, are only supposed to issue certificates for public names – that is, for fully-qualified domains that reference a specific machine. Palmer’s research into data in the EFF’s “SSL Observatory” uncovered large numbers of certificates signed by CAs for domains typically used as internal-network shorthand, such as “mail,” “wiki,” or “intranet.”

“In the Observatory we have discovered many examples of CA-signed certificates unqualified domain names,” he writes. “In fact, the most common unqualified name is ‘localhost,’ which always refers to your own computer! It simply makes no sense for a public CA to sign a certificate for this private name. Some CAs have signed many, many certificates for this name, which indicates that they do not even keep track of which names they have signed. Some other CAs do make sure to sign ‘localhost’ only once. Cold comfort!”

The actual threat, however, is posed by the occasions when a CA would sign a name like “webmail” or “mail.” If an attacker were to acquire a SSL certificate for a name like that, he would be able to easily acquire email and password information from unsuspecting users. He says names including references to Microsoft Exchange are the most common unqualified names that CAs seem willing to sign.

“What if an attacker were able to receive a CA-signed certificate for names like ‘mail’ or ‘webmail?’ Such an attacker would be able to perfectly forge the identity of your organization’s webmail server in a ‘man-in-the-middle’ attack,” says Palmer.

In a follow-up post this week, Palmer said CAs are also issuing SSL certificates for non-existent domains, which isn’t such a problem right now, but could become one as the new TLD process currently underway sees many new TLDs introduced in the next year or so.

“It might happen that someday ICANN will create some of these TLDs,” he says. “There is even talk that they might allow people to register (at a high cost) arbitrary TLDs like .milk or .cookies. In that case, these currently-invalid certificates will become valid because they will suddenly refer to usable internet names. For example, imagine if Microsoft were able to, in the future, register the .microsoft TLD so that they could have for their web site address. As the Observatory shows, an attacker can probably get a CA to sign that name today. Such an attacker would be able to hijack Microsoft’s web site on the very minute the new name goes live.”

The original post links out to some other investigation into CAs issuing unqualified domains by George Macon of Georgia Tech, who isolates how many times individual CAs sign those domains. Macon says Go Daddy is the most common offender. The analysis also identifies 28 EV SSL certificates issued to unqualified domains as of January 2011, when the study was conducted.

According to reports, 18 of those EV certificates have since been accounted for, leaving 10 unaccounted for.

A report from the Tech Herald includes a comment from certificate authority Verisign, which is now a part of Symantec, and has since revoked the EV SSL certificates it had issued to non fully qualified domain names, and ensured that further EV certificates cannot be issued that way.

It has been a difficult few weeks for certificate authorities. With Comodo resellers issuing rogue SSL certificates to a hacker in late March, the entire SSL certificate system has come under fairly intense scrutiny.

At last week’s IETF security forum, several organizations, including Comodo and Google floated some new SSL certificate security ideas.

In the EFF report, Palmer recommends that end users stop using unqualified links to access resources, instead setting browser bookmarks to the full URLs for those services. He also suggests that browsers stop treating SSL certificates issued to unqualified domains as valid.


Related Posts

Logo Assessment: A Look at the Traits of Recognizable Logos

Creating a captivating logo is much like composing an orchestral masterpiece where the brand’s visual voice resonates as the leading instrument. In this intricate symphony of design, every single note — every color you choose, every unique character, every deliberate…

‘Feed Me’ All Night Long: Ricky Greenwood, Adult Time Go Al Dente

Star Lulu Chu describes "Feed Me" as as “'Teeth' meets 'Jennifer’s Body' meets 'It Follows.'”

Playboy Spirits Launches ‘Play Hard’ Vodka Seltzer

CHICAGO — Playboy Spirits, a joint venture between Spirits Investment Partners (SIP) and PLBY Group, has launched its new premium line of vodka seltzers, Play Hard. Play Hard is a “Ready to Drink” (RTD) category beverage with a focus “on…

DINGFOO Debuts New Suspension Ball

HONG KONG — Chinese pleasure brand DINGFOO has debuted its new Suspension Ball. "This sex toy utilizes suspended vibration technology, which offers significant advantages over traditional products on the market," said a rep. The Suspension Ball features three speeds and…

Motley Models, Ryan Kona Part Ways

Motley Models and its corporate entity, Twice Baked Media, Inc., on Friday announced it has parted ways with veteran talent agent Ryan Kona.

Leave a Reply

Your email address will not be published.