Slashdot Mirror

← Back to Stories (view on slashdot.org)

Become an SSLAdmin In a Few Easy Steps

Posted by Soulskill on from the chain-of-trust dept.

Renderer of Evil writes "With news that it is rather simple to mimic authority with many webmail providers in order to coax an SSL certificate authority into creating one for the domain, a Canadian security expert has decided to take it upon himself to see who out there is actually vulnerable and provide information to the public on how prevalent this issue is as we speak. Out of eleven webmail services chosen at random and without prejudice, just under half of them permitted him to register with credentials (ssladmin) that allowed him to create an SSL certificate in their name. In most of these cases, there was a pre-existing, legitimately-acquired certificate." Update: 04/19 01:30 GMT by S : Kurt Seifried's original paper, on which the BetaNews article is based, provides more detailed information on the subject (PDF).

5 of 64 comments (clear)

  1. This is nothing new by jgreco · · Score: 4, Insightful

    This is nothing new, we've been talking about issues like this since the introduction of SSL. Either you have onerous and thorough verification, which makes SSL a real pain to deploy and discourages adoption, or you have an easy-to-game system that makes SSL less secure. Security always involves lots of effort, and that's simply at odds with the way things are "supposed to work" on the Internet.

  2. Re:The CA's are not doing their due dilligence by Anonymous Coward · · Score: 2, Insightful

    Correct. He says he's not sure whom to blame.

    *I'm* sure whom to blame: the CAs, who are falling prey to the "man who walks in in a UPS uniform" trick.

    The LHS of your email address does *not* constitute an authentication scheme, people.

  3. Re:slashdoted already! by Anonymous Coward · · Score: 1, Insightful

    Misspelling of "slashdotted"

    Questionable grammar and capitalization

    Providing no content of value

    UID over 1.6M

    Yeah, it's a mystery why you were downmodded.

  4. When will registrar be required to do this? by GPLHost-Thomas · · Score: 2, Insightful

    Once again, this goes into my direction of saying that your registrar is the only party that can really certify that you are the owner of the TLD you registered with them. Let's change ICANN's rules and enforce that it's the duty of each accredited registrar to provide certs (and how about requesting that it should be a free service, already paid with the domain, and for how many subdomains as needed?).

  5. Re:Sometimes by seifried · · Score: 2, Insightful

    Another problem however is that there is no way for a domain holder to check if SSL certificates have been issued in their name from all the SSL providers. There may be someone out there with a certificate in your name and you'll literally never know unless you run into it or someone reports it to you (which is unlikely since it is a legit certificate).