Overview
Multiple SSL certificate authorities may issue certificates to a customer based solely on the control of certain email addresses. This may allow an attacker to obtain a valid SSL certificate to perform HTTPS spoofing without generating a warning in the client software.
Description
When a client such as a web browser accesses a resource using HTTPS, which subsequently uses SSL or TLS for encryption and authentication, the client is supposed to verify the certificate provided by the server. In particular, the client verifies that the certificate was issued by a root certificate authority (CA) that is trusted. This trust relationship relies upon the belief that the root certificate authorities have sufficiently verified that the individual requesting a certificate is doing so on behalf of the domain owner. Many root CAs use the concept of "domain-authenticated" or similarly-named SSL certificates. These certificates may be issued with minimal proof of domain ownership. In some cases, an SSL certificate is provided simply based on the ability to use certain email addresses at the domain in question. According to RFC2142, the email address that should be used for DNS-related services should be hostmaster. According to the Mozilla CA Certificate Inclusion Policy as well as the CA/Browser Forum baseline requirements documents, the control of the addresses admin, administrator, webmaster, hostmaster, and postmaster can be used to prove domain ownership. However, some root CAs allow other email addresses to serve as proof of domain ownership. For example, a user who operates the email address ssladministrator@example.com may be able to obtain an SSL certificate for example.com. |
Impact
An attacker may be able to obtain a certificate for a domain that somebody else owns. With such a certificate, the attacker can spoof HTTPS sites and intercept HTTPS traffic without triggering client certificate warnings. |
Solution
The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workarounds: |
Block access to sensitive accounts |
Vendor Information
The vendors listed as "affected" here are CAs that provide email-authenticated domain-validated SSL certificates. Although the CA/Browser Forum baseline requirements documents list email authentication using predefined aliases as a valid form of domain validation (section 11.1.1), CERT's stance is that such email authentication is not sufficient proof of domain ownership. Email providers that may be affected by fraudulent acquisition of SSL certificates by email are not listed here. |
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 6.4 | AV:A/AC:M/Au:N/C:C/I:P/A:N |
| Temporal | 6.4 | E:H/RL:U/RC:C |
| Environmental | 6.4 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
References
- https://www.ietf.org/rfc/rfc2142.txt
- https://www.schneier.com/paper-pki-ft.txt
- https://wiki.mozilla.org/CA:IncludedCAs
- https://support.apple.com/en-us/HT204132
- http://social.technet.microsoft.com/wiki/contents/articles/14215.windows-and-windows-phone-8-ssl-root-certificate-program-member-cas.aspx
- https://intrepidusgroup.com/insight/2008/12/more-than-one-way-to-skin-a-ca/
- https://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-zusman-hacking_pki.pdf
- http://www.theregister.co.uk/2011/04/11/state_of_ssl_analysis/
- http://www.thoughtcrime.org/blog/ssl-and-the-future-of-authenticity/
- https://groups.google.com/d/topic/mozilla.dev.security.policy/huhtdBOEyas
- http://news.slashdot.org/story/10/04/18/1218212/Become-an-SSLAdmin-In-a-Few-Easy-Steps
- https://raymii.org/s/blog/How_I_got_a_valid_SSL_certificate_for_my_ISPs_main_website.html
- http://arstechnica.com/security/2015/03/bogus-ssl-certificate-for-windows-live-could-allow-man-in-the-middle-hacks/
- https://kurt.seifried.org/2010/04/20/verisign-certificate-authority-finally-fixes-part-of-the-domain-verification-problem/
- http://betanews.com/2010/03/31/security-researcher-trivially-easy-to-buy-ssl-certificate-for-domain-you-don-t-own/
- http://www.net.in.tum.de/fileadmin/bibtex/publications/papers/ssl-landscape-trento.pdf
- http://en.wikipedia.org/wiki/CA/Browser_Forum
- https://cabforum.org/
- https://bugzilla.mozilla.org/show_bug.cgi?id=477783
- https://bugzilla.mozilla.org/show_bug.cgi?id=556468
- http://www.darkreading.com/endpoint/authentication/is-ssl-cert-holder-id-verification-a-joke/d/d-id/1136978?
- https://www.trustico.com/validation/how-fast-is-my-ssl-certificate-issued.php
- https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/791/16/alternative-methods-of-domain-control-validation-dcv
- https://support.his.com/supp/kb/article/400-Email_Authentication_for_Domain_validated_SSL_certificates
- http://account.buyhttp.com/knowledgebase/753/Which-email-address-can-approve-SSL-certificate-order.html
- http://certum.eu/certum/cert,offer_Commercial_SSL.dxml?MEDIA=pdf
- http://evssl.com.ua/docs/thawte/enroll_ssl123_eng.pdf
- http://host.dynamicwebhost.net/features/approvedemail.htm
- https://www.geocerts.com/api_spec.pdf
- https://www.onestepssl.com/onestepssl_validation_process.php
- http://www.domainpurpose.com/ssl-faqs.htm
- http://kb.canvashost.com/?p=935
Acknowledgements
This document was written by Will Dormann.
Other Information
| CVE IDs: | None |
| Date Public: | 2008-12-31 |
| Date First Published: | 2015-03-27 |
| Date Last Updated: | 2015-04-07 13:59 UTC |
| Document Revision: | 100 |