[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Gmail and SSL

On 12/30/12, John Levine <johnl at iecc.com> wrote:
> Do you ever buy SSL certificates?  For cheap certificates ($9
> Geotrust, $8 Comodo, free Startcom, all accepted by Gmail), the
> entirety of the identity validation is to send an email message to an
> address associated with the domain, typically one of the WHOIS
> addresses, or hostmaster at domain, and look for a click on an embedded

These CA's will normally require interactions be done through a web
site, there will often be captchas or other methods involved in
applying for a certificate that are difficult to automate.
They require payment, which requires a credit card,  and obtaining a
massive number of certificates is not a practical thing for malware to
perform,  unless they also possess a mass amount of stolen credit
cards, and stolen WHOIS e-mail address contacts;   on the other hand,
self-signed certificates can be generated on the fly by malware, using
a simple command or series of CryptoAPI calls.

I am aware of the procedure the CAs follow,  and I am well aware that
there are significant theoretical weaknesses inherent to the
procedures that are followed to authenticate such "Turbo",   "Domain
auth" based SSL certificates.    (They use an unencrypted e-mail
message to send the equivalent of a PIN number,  for getting a
certificate signed, in reliance of WHOIS information downloaded over
unencrypted connection: WHOIS data may be tampered with,  a MITM may
be used to alter WHOIS response in transit to the CA  ---    the PIN
number in confirmation e-mail can be sniffed in transit,  or  the
contact e-mail address may be hosted by a 3rd party insecure service
provider and/or no longer belong to the authorized contact).

All of these practices have considerable risks,  and the risk that
_some_   fraudulent requests are approved is signicant.
The very e-mail server the certificate is to be issued to, might be
the one that receives the e-mail,  and a passive sniffer there may
capture the PIN required to authorize the certificate.

However, the procedures required to exploit these weaknesses are
slightly more complicated than simply  producing a self-signed
certificate on the fly for man in the middle use --  they  require
planning,  a waiting period,  because CAs  do not typically issue

And the use of credit card numbers;  either legitimate ones, which
provide a trail to trace the attacker, or stolen ones,  which  is a
requirement,   that reduces the possible size of an attack  (since a
worm, or other malware infection,  won't have an infinite supply of
those to apply for certificates).

But   "Does the CA's signature actually represent a guaranteed
authentication" wasn't the question.

The only question is...   Does it provide an assurance that is at all
stronger than a self-signed certificate that can be made on the fly?

And it does...  not a strong one, but a slightly stronger one.

> mail sent from that server.  That doesn't sound like "authentication
> of server identity" to me.
> R's,
> John