Multiple SSL certificate authorities use email addresses as proof of domain ownership

Overview

Multiple SSL certificate authorities may issue certificates to a customer based solely on the control of certain email addresses. This may allow an attacker to obtain a valid SSL certificate to perform HTTPS spoofing without generating a warning in the client software.

Description

When a client such as a web browser accesses a resource using HTTPS, which subsequently uses SSL or TLS for encryption and authentication, the client is supposed to verify the certificate provided by the server. In particular, the client verifies that the certificate was issued by a root certificate authority (CA) that is trusted. This trust relationship relies upon the belief that the root certificate authorities have sufficiently verified that the individual requesting a certificate is doing so on behalf of the domain owner. Many root CAs use the concept of "domain-authenticated" or similarly-named SSL certificates. These certificates may be issued with minimal proof of domain ownership. In some cases, an SSL certificate is provided simply based on the ability to use certain email addresses at the domain in question. According to RFC2142, the email address that should be used for DNS-related services should be hostmaster. According to the Mozilla CA Certificate Inclusion Policy as well as the CA/Browser Forum baseline requirements documents, the control of the addresses admin, administrator,webmaster, hostmaster, and postmaster can be used to prove domain ownership. However, some root CAs allow other email addresses to serve as proof of domain ownership. For example, a user who operates the email addressssladministrator@example.com may be able to obtain an SSL certificate for example.com. Aside from EV certificates, the browser displays no difference between domain-authenticated certificates and certificates that were obtained through additional validation. For example, GeoCerts offers both domain-authenticated certificates and fully-authenticated certificates. However, from a client (e.g. web browser) perspective, there is no difference at all between the two certificates. Domains of sites that are used for email purposes are at increased risk. If a user can register the email address of any one of the available addresses accepted by a single root CA for the purpose of domain-authenticated SSL certificates, then that user may be able to purchase a valid SSL certificate for that domain. We are unaware of a comprehensive list of email addresses accepted for domain-authenticated SSL certificates, but here is the policy used by Comodo. SSL resellers such as BuyHTTP list additional email addresses that can be used for email authentication for SSL certificate purchases.

Impact

An attacker may be able to obtain a certificate for a domain that somebody else owns. With such a certificate, the attacker can spoof HTTPS sites and intercept HTTPS traffic without triggering client certificate warnings.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workarounds:

Block access to sensitive accounts Sites that provide email accounts to users should restrict the ability to create email accounts that are trusted by root CAs. At the very least, users should not be able to create the email addresses for admin, administrator, webmaster,hostmaster, and postmaster. BuyHTTP lists those addresses as well as root, ssladmin, info, is, it, mis,ssladministrator, and sslwebmaster. If users have already created accounts that match up to these special names, those accounts should be disabled. Failure to do so can result in a user being able to obtain an SSL certificate for the domain in question. Note that the above list of email addresses is not necessarily comprehensive. There may be at least one root CA that supports at least one additional email address as proof of domain ownership.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Actalis	Affected	-	26 Mar 2015
CA Disig a.s.	Affected	-	27 Mar 2015
CERTUM	Affected	-	26 Mar 2015
COMODO Security Solutions, Inc.	Affected	-	26 Mar 2015
ComSign	Affected	-	26 Mar 2015
DigiCert	Affected	-	26 Mar 2015
e-tugra	Affected	-	26 Mar 2015
Entrust	Affected	-	27 Mar 2015
GeoTrust	Affected	-	27 Mar 2015
GlobalSign	Affected	-	26 Mar 2015
GoDaddy	Affected	-	26 Mar 2015
OATI	Affected	-	26 Mar 2015
QuoVadis	Affected	-	26 Mar 2015
RapidSSL	Affected	-	26 Mar 2015
StartCom Ltd.	Affected	-	26 Mar 2015

If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group	Score	Vector
Base	6.4	AV:A/AC:M/Au:N/C:C/I:P/A:N
Temporal	6.4	E:H/RL:U/RC:C
Environmental	6.4	CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

• https://www.ietf.org/rfc/rfc2142.txt
• https://wiki.mozilla.org/CA:IncludedCAs
• https://support.apple.com/en-us/HT204132
• http://social.technet.microsoft.com/wiki/contents/articles/14215.windows-and-windows-phone-8-ssl-root-certificate-program-member-cas.aspx
• http://www.thoughtcrime.org/blog/ssl-and-the-future-of-authenticity/
• http://news.slashdot.org/story/10/04/18/1218212/Become-an-SSLAdmin-In-a-Few-Easy-Steps
• https://raymii.org/s/blog/How_I_got_a_valid_SSL_certificate_for_my_ISPs_main_website.html
• http://arstechnica.com/security/2015/03/bogus-ssl-certificate-for-windows-live-could-allow-man-in-the-middle-hacks/
• https://kurt.seifried.org/2010/04/20/verisign-certificate-authority-finally-fixes-part-of-the-domain-verification-problem/
• http://betanews.com/2010/03/31/security-researcher-trivially-easy-to-buy-ssl-certificate-for-domain-you-don-t-own/
• http://en.wikipedia.org/wiki/CA/Browser_Forum
• https://cabforum.org/
• https://bugzilla.mozilla.org/show_bug.cgi?id=477783
• https://bugzilla.mozilla.org/show_bug.cgi?id=556468
• http://www.darkreading.com/endpoint/authentication/is-ssl-cert-holder-id-verification-a-joke/d/d-id/1136978?
• https://www.trustico.com/validation/how-fast-is-my-ssl-certificate-issued.php
• https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/791/16/alternative-methods-of-domain-control-validation-dcv
• https://support.his.com/supp/kb/article/400-Email_Authentication_for_Domain_validated_SSL_certificates
• http://account.buyhttp.com/knowledgebase/753/Which-email-address-can-approve-SSL-certificate-order.html