Porn News

Electronic Frontier Foundation: CAs Issuing SSL Certificates to Unqualified Domains

from www.thewhir.com – In a report issued this week, online watchdog group the Electronic Frontier Foundation said that certificate authorities are issuing SSL certificates for unqualified domains in large numbers, a practice that the report’s author Chris Palmer says could impact the integrity of the whole SSL system, and puts Internet users at increased risk of attack.

Certificate authorities, says Palmer, are only supposed to issue certificates for public names – that is, for fully-qualified domains that reference a specific machine. Palmer’s research into data in the EFF’s “SSL Observatory” uncovered large numbers of certificates signed by CAs for domains typically used as internal-network shorthand, such as “mail,” “wiki,” or “intranet.”

“In the Observatory we have discovered many examples of CA-signed certificates unqualified domain names,” he writes. “In fact, the most common unqualified name is ‘localhost,’ which always refers to your own computer! It simply makes no sense for a public CA to sign a certificate for this private name. Some CAs have signed many, many certificates for this name, which indicates that they do not even keep track of which names they have signed. Some other CAs do make sure to sign ‘localhost’ only once. Cold comfort!”

The actual threat, however, is posed by the occasions when a CA would sign a name like “webmail” or “mail.” If an attacker were to acquire a SSL certificate for a name like that, he would be able to easily acquire email and password information from unsuspecting users. He says names including references to Microsoft Exchange are the most common unqualified names that CAs seem willing to sign.

“What if an attacker were able to receive a CA-signed certificate for names like ‘mail’ or ‘webmail?’ Such an attacker would be able to perfectly forge the identity of your organization’s webmail server in a ‘man-in-the-middle’ attack,” says Palmer.

In a follow-up post this week, Palmer said CAs are also issuing SSL certificates for non-existent domains, which isn’t such a problem right now, but could become one as the new TLD process currently underway sees many new TLDs introduced in the next year or so.

“It might happen that someday ICANN will create some of these TLDs,” he says. “There is even talk that they might allow people to register (at a high cost) arbitrary TLDs like .milk or .cookies. In that case, these currently-invalid certificates will become valid because they will suddenly refer to usable internet names. For example, imagine if Microsoft were able to, in the future, register the .microsoft TLD so that they could have www.microsoft for their web site address. As the Observatory shows, an attacker can probably get a CA to sign that name today. Such an attacker would be able to hijack Microsoft’s web site on the very minute the new name goes live.”

The original post links out to some other investigation into CAs issuing unqualified domains by George Macon of Georgia Tech, who isolates how many times individual CAs sign those domains. Macon says Go Daddy is the most common offender. The analysis also identifies 28 EV SSL certificates issued to unqualified domains as of January 2011, when the study was conducted.

According to reports, 18 of those EV certificates have since been accounted for, leaving 10 unaccounted for.

A report from the Tech Herald includes a comment from certificate authority Verisign, which is now a part of Symantec, and has since revoked the EV SSL certificates it had issued to non fully qualified domain names, and ensured that further EV certificates cannot be issued that way.

It has been a difficult few weeks for certificate authorities. With Comodo resellers issuing rogue SSL certificates to a hacker in late March, the entire SSL certificate system has come under fairly intense scrutiny.

At last week’s IETF security forum, several organizations, including Comodo and Google floated some new SSL certificate security ideas.

In the EFF report, Palmer recommends that end users stop using unqualified links to access resources, instead setting browser bookmarks to the full URLs for those services. He also suggests that browsers stop treating SSL certificates issued to unqualified domains as valid.

309 Views

Related Posts

Brad Bronton to Appear at X3

Dec 25, 2024 3:00 PM PSTLOS ANGELES — Brad Bronton will appear at the X3 Expo in January. “Super excited to be a part of the upcoming expo,” said Bronton. “A bit of a country mouse cammer heading to the…

AVN Opens Talent RSVPs for 2025 Awards Show

AVN Media Network formally invites 2025 AVN Awards nominees and other adult industry talent to submit their requests through the now-active Talent RSVP Site for passes to the 42nd annual AVN Awards Show, presented by MyFreeCams.

Daisy Diva Stars in Latest From TheFlourishXXX

Dec 24, 2024 4:22 PM PSTLOS ANGELES — Daisy Diva stars alongside Ace Bigs in the new scene from TheFlourishXXX, titled "Daisy Tricks Ace to Come in Looking for His Friend." According to a rep, the scene finds Ace Bigs…

Aubrey Kate Receives XMA Nod

Dec 23, 2024 4:07 PM PSTLOS ANGELES — Aubrey Kate has received a nomination for Fav Trans Creator at the 2025 XMA Awards. “It’s been an amazing year, packed with accomplishment and new ventures,” said Kate. “Winning the XBIZ Fan…

Brazzers Announces ‘Wet Hot Indian Wedding’ Limited Series

Brazzers on Monday announced the release of Wet Hot Indian Wedding, a four-part series starring Aaliyah Yasin, Suraya Ndia, Candy Scott, Bilbo Shaggins, Danny D and Xander Corvus.

Leave a Reply

Your email address will not be published.