On 12/30/12, John Levine <johnl@iecc.com> wrote:
Do you ever buy SSL certificates? For cheap certificates ($9 Geotrust, $8 Comodo, free Startcom, all accepted by Gmail), the entirety of the identity validation is to send an email message to an address associated with the domain, typically one of the WHOIS addresses, or hostmaster@domain, and look for a click on an embedded
These CA's will normally require interactions be done through a web site, there will often be captchas or other methods involved in applying for a certificate that are difficult to automate. They require payment, which requires a credit card, and obtaining a massive number of certificates is not a practical thing for malware to perform, unless they also possess a mass amount of stolen credit cards, and stolen WHOIS e-mail address contacts; on the other hand, self-signed certificates can be generated on the fly by malware, using a simple command or series of CryptoAPI calls. I am aware of the procedure the CAs follow, and I am well aware that there are significant theoretical weaknesses inherent to the procedures that are followed to authenticate such "Turbo", "Domain auth" based SSL certificates. (They use an unencrypted e-mail message to send the equivalent of a PIN number, for getting a certificate signed, in reliance of WHOIS information downloaded over unencrypted connection: WHOIS data may be tampered with, a MITM may be used to alter WHOIS response in transit to the CA --- the PIN number in confirmation e-mail can be sniffed in transit, or the contact e-mail address may be hosted by a 3rd party insecure service provider and/or no longer belong to the authorized contact). All of these practices have considerable risks, and the risk that _some_ fraudulent requests are approved is signicant. The very e-mail server the certificate is to be issued to, might be the one that receives the e-mail, and a passive sniffer there may capture the PIN required to authorize the certificate. However, the procedures required to exploit these weaknesses are slightly more complicated than simply producing a self-signed certificate on the fly for man in the middle use -- they require planning, a waiting period, because CAs do not typically issue immediately. And the use of credit card numbers; either legitimate ones, which provide a trail to trace the attacker, or stolen ones, which is a requirement, that reduces the possible size of an attack (since a worm, or other malware infection, won't have an infinite supply of those to apply for certificates). But "Does the CA's signature actually represent a guaranteed authentication" wasn't the question. The only question is... Does it provide an assurance that is at all stronger than a self-signed certificate that can be made on the fly? And it does... not a strong one, but a slightly stronger one.
mail sent from that server. That doesn't sound like "authentication of server identity" to me.
R's, John
-- -JH