Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

HTTPS security undermined by lax certificate authorities, says EFF

Electronic Frontier Foundation SSL Observatory documents bad behaviour

Article comments

The Electronic Frontier Foundation has published research showing that the SSL certificate system that underpins web security is far from trustworthy.

As part of its SSL Observatory project, the EFF has found that tens of thousands of SSL certificates have been issued for nonsense domains, something that should be impossible. It indicates certificates are being issued without necessary checks taking place.

Most of us are aware of the padlock system by which we know if a connection to an online bank, shop or webmail provider is secure. The website address is also prefixed by https://, which provides another clue.

Public certificates

The system relies on the remote web server sending your browser its public SSL certificate. Via a handful of cryptographic transactions, your browser is able to use this to verify the remote server is who it says it is, and that you're not connected to a fraudster. It is also able to encrypt data transmissions.

Therefore, the authenticity of the SSL certificate is of prime importance. It's because of this that the number of companies worldwide that issue certificates, known as Certificate Authorities (CA), is strictly limited.

A variety of SSL certificates can be purchased. With very basic SSL certificates the CA checks to ensure the company is the same one that registered the domain. With more rigorous certificates, such as the Extended Validation Certificate that most reputable organizations use, the CA is required to prove the physical location of the company in the real world, amongst more stringent investigations. It's for these reasons that purchasing an SSL certificate can be expensive.

Unqualified domains

If a CA issued certificates for simple, single words such as "mail" or "web," it would indicate their checking procedure isn't up to scratch because these are not real Internet addresses. Yet this is what the EFF has discovered. It found 37,244 examples of certificates for ‘unqualified' domain names, which is to say, general words or terms that are simply meaningless on the Internet and should never have had certificates issued for them.

The problem is largely caused by corporate network administrators. They purchase SSL certificates for words like "mail" and "web" to create secure connections between computers on their internal networks (known as Intranets). Rather than having workers type mail.mycompany.com into their browsers to access the corporate mail server, for example, a network administrator might configure the network so users type "mail."

But to make connections secure from networking snoops, the admin will purchase an SSL certificate for the computer the word "mail" directs to. Attempting to buy such a certificate would be impossible if the CA performed the most rudimentary examination of the request and realised it's not a real domain.

Perhaps more worrying, further research shows CAs are also issuing certificates for words involving non-real top level domains (TLDs). TLDs are the endings of web addresses and examples include .com, .org, .net and so on. The EFF found that certificates were being issued for nonsense words joined to made-up TLDs like .nyc or .public. Again, these are likely used within corporate environments to indicate an attribute or location of a server. For example, "mail.nyc" might indicate a mail server based in New York City. The address "web.private" might indicate a non-public web server.

The danger is that, one day, a TLD like .nyc might actually exist. Indeed, we may soon see an explosion of new TLDs for just about every requirement.

Let's assume that the .nyc TLD is one day created and a guy registers "mail.nyc." He's got a problem because whoever has already been issued a certificate for "mail.nyc" by a CA that didn't perform checks will be able to hijack visitors to his site, seemingly providing a 100 percent trustworthy connection.

Hacker opportunity

Taking advantage of the careless certificate authorities, right now hackers could purchase certificates for any likely future combination of domain plus TLD. How about getting a certificate for "web.apple," for example, in anticipation of a time when Apple gets its own top level domain? Hackers could then hijack any user who types https://web.apple into a browser, and it wouldn't appear to be anything but legitimate.

Aside from suggesting that certificate authorities do their job properly, the EFF suggests that browsers and other Internet software could only accept SSL certificates for genuine (fully-qualified) domain names. After all, it should be impossible for a connection to take place to something like "https://mail," yet browsers don't check for such transgressions (as anybody who's mistyped an address will know).

The SSL certificate system has been under significant attack recently. A hack attack on one of the biggest certificate authorities has brought into question the entire system and made many realize that the system is in drastic need of updating for 21st century demands. At the moment there are over 600 certificate authorities around the world that major browsers trust, that is Internet Explorer, Mozilla Firefox and so on.

Each CA issues certificates based on variations of local laws plus their own peculiarities. As with any collection of organisations, some are better than others, both in their criteria for issuing certificates and also their internal security procedures that stop hackers infiltrating their systems and fraudulently issuing certificates.

Ultimately, all of this means that we can no longer fully trust HTTPS connections. However, until schemes like DNSSEC come online, we simply have no choice but to do so. Keeping common sense with us at all times will help. If you visit your bank's home page, for example, and they suddenly seem unable to construct proper sentences, then there might be something wrong.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *