Fraudulent Digital Certificates – A Different Perspective
DigiNotar, Comodo have few things in common, both of them are Digital Certification Authorities and both of them had issued SSL certificates or digital certificates which were procured in a fraudulent manner.
For Comodo (according to Comodo) it was a case of user account being compromised and for DigiNotar, there was an issue with the verification of the request. [Latest UPDATE – DigiNotar was also compromised]
Fraudulently procured SSL certificates are mainly used by Rogue ISPs to launch MITM attacks or by phishing experts.
Why did I choose to write on this subject? Because there is a serious design flaw in the method used to issue Digital Certificates.
Normally, when we need a Digital Certificate, we need to provide a lot of identity proofs to the Certifying Authority and once the verification process is complete we get the certificate which is valid for a specific time period. Now it is not necessary for a CA to conduct a full-scale investigation of the organization/person requesting the SSL certificate, as was evident from the COMODO and DigiNotar case studies. Employees conducted verification but the hacker did not.
Secondly, this is a single step verification, now many of you would disagree but the point is “SSL certificates are used on the Internet” so, is it wise to verify only the procurement but what about the existence of other certificates which were issued to the Organization by other CA’s?
Let us walk through a test scenario: Org A and OrgB are two different entities which are requesting a digital certificate. CA1 and CA2 are two different authorities who are responsible for providing digital certificates. Org A received a Digital Certificate from CA1 but Org B has different plans and decides to request a Digital Certificate from CA2 in the name of Org A by forging identities. So what do you think would happen now? If CA2 gets its verification wrong then all hell is going to break loose. What if CA2 has been compromised and Org B has access to the console?
For past two days, I have been thinking about this and when I dug into the history of fraudulent SSL Certificates, some of the sites for whom the certificates issued were:
• login.live.com
• mail.google.com
• www.google.com
• login.yahoo.com (3 certificates)
• login.skype.com
• addons.mozilla.org
• google.com (included all the domains under google.com)
Upon further inspection, using the online analyzer provided by Comodo, I was surprised to find that all the above-mentioned sites had never procured their certificates from Comodo or DigiNotar but had a different Certifying Authority. Check out the “Issuer Name” field. Except for google.com rest, all sites in question have had a single certificate issuer.
Domains Registration and Digital Certificates are synonymous with each other and go hand in hand, but there cannot be duplicate registration of Domains names then why so for Digital Certificates?
Had there been a common platform for all the CAs and an additional Step of online verification for certificate provider then this problem would have been averted.
We are treating Digital Certificates as an individual commodity but the same benchmark is not true for domain names. We can just not have a duplicate domain getting registered on the internet. Domains can be spoofed, the cache being poisoned but never have two different registrars for the same domain.
This is a debatable issue but worth the thought.
Just like we have single domain registrar for a domain then why can’t we have a common platform for SSL certificate issuer? Though this is a capitalist world, there are two things which can be ensured a: no more fraudulent certificate generation b: competition and price wars.
One domain, one registrar, have a problem with the price? transfer your domain. Multiple domain certificates by one organization having one single provider, have a problem with the provider on any aspect – transfer to the provider of your choice and revoke the certificates. Does this sound easy? Yes but technically a bit complicated, as this will involve a change in the method at all levels.
What about Government owned Certifying Authorities or those Certificate Authorities who are partially governed by rogue governments? Will the unification of CAs and a change in method of issuing certificates rectify this problem?
If not today but a few years down the line when the problem of “fraudulent digital certificate” aggravates, we will see a change.
Read More – eScan Blogs
2 Comments
Pingback: SURL Analyzer – to Believe or not | Welcome to the eScan Blog
Pingback: SURL Analyzer – Acreditar ou não | Blog do eScan Brasil