Endpoint // Authentication
1/24/2012
12:55 AM
50%
50%

Is SSL Cert Holder ID Verification A Joke?

Some complain that certificate authorities don't do enough to verify identities for 'domain-validated' certificates

With the release of the BEAST exploit and subsequent scrambling by browser vendors to close up vulnerabilities against SSL authentication, many Web authentication discussions have been focused on the SSL/TLS protocol’s weaknesses in recent months. As some IT professionals explain, though, some of the biggest problems with SSL have nothing to do with the technology. Instead, the woes are attributed to poor practices.

According to some, one finger should be pointed at certificate authorities (CAs), which they say need to do a better job confirming the identity of certificate holders in order to bolster the trust placed in SSL certificates.

“SSL has been burdened with procedural failures, not technical ones. The issue is simple in concept, and complicated in execution: Verifying a user's identity can't be done reliably by a machine,” says Bill Horne, who runs William Warren Consulting. “At some point, anyone who is trying to convince Web users that their PKI certificate is valid must venture into meatspace and show up before a neutral third party to prove that they -- or their company -- are entitled to use the name that's on their X.509 PKI certificate.”

Chet Wisniewski, senior security adviser at Sophos, echoes Horne’s sentiments, stating that he doesn’t think the SSL protocol is broken aside from the fact it relies on the antiquated model of relying on central CAs.

“The methods they use to verify your identity are a bit of a joke. You can get an SSL certificate for just about anything. For $19, which is what these certs cost, they're domain-validated, which just doesn't mean a lot,” he says. “As far as I'm concerned, having those certs there is better than nothing because it protects you against things like Firesheep. But they should be free, and the fact that they say they validate who [the certificate holders] say they are -- it’s just horse manure.”

According to Horne, he believes many CAs have chosen to pretend that it’s possible to automate the critical step of verifying a certificate holder’s identity.

“It isn't, but it's a lot more profitable to pretend that it is,” he says. “That's the economic problem in a nutshell: Paying humans to verify certificate-holder identities is expensive, but there's no other way to reliably verify an identity.”

And, in fact, CAs realized the time and resources it takes to more painstakingly verify certificate holder identities: That’s where the whole idea of extended validation SSL certificates came from. When they were rolled out several years ago, the thought was to charge more for a more extensive check-up on the certificate holder and offer a color-coded "green bar" in the browser address bar to indicate the site is protected with an EV SSL certificate.

“Granted, when you do the extended validation, you get that fantastic green badge in your browser, and in that case they do want some documentation proving that in some way you're affiliated with this business and you've got some papers to show it. And it's a little more rigorous process -- which is the way it used to be just to get a domain,” Wisniewski says. “But even that isn’t foolproof.”

For example, the cost of these EV-SSL certificates may still be seen as prohibitive and can lead to issues of "mixed content," where some pages of a site may be protected with EV-SSL certificates, some with plain-vanilla certificates and some not encrypted at all. This is an all-too-common problem that frequently leads to vulnerabilities within sites and shows that both the CAs and site owners bear responsibility in the complicated SSL ecosystem.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ericka Chickowski
50%
50%
Ericka Chickowski,
User Rank: Moderator
1/26/2012 | 11:44:29 PM
re: Is SSL Cert Holder ID Verification A Joke?
Good points, Josh. That's exactly what Chet at Sophos was venting about when we chatted about these issues prior to this story. There was a time when the verification that went into EV certs were just-á what it took to get a cert validated.
joshbw
50%
50%
joshbw,
User Rank: Apprentice
1/25/2012 | 4:09:58 PM
re: Is SSL Cert Holder ID Verification A Joke?
One of the many, many-áthings that undermines trust in-áComodo is when they visibily and obviously astroturf a comment thread.-á The various breaches at CAs, such as the breach at Comodo, also call into question whether you can trust Comodo.-á In fact the only reason Comodo has any business is because they are guilty of selling $15 domain validated certs without any due dilligence - exactly the behavior that the article rails against.

Anyway, enough bashing Comodo and their transparent comments here - what I find ludicrous is that a person has to pay a hansome premium to get EV certs, when all the EV means is that the CA actually tried to verify who they were giving the cert to... You know, what a CA should ALWAYS be doing.-á There shouldn't be domain validated and extended validated certs - there should just be properly validated recipients in all cases.-á It's sad that a premium must be paid to get CAs to do what they always should be doing
JJ1819
50%
50%
JJ1819,
User Rank: Apprentice
1/25/2012 | 12:28:59 PM
re: Is SSL Cert Holder ID Verification A Joke?
An important motivation for using SSL Cert is to add trust to on-line. only the certificates which has authority can add trust.the comodo has authorized SSL Cert .
MS8699
50%
50%
MS8699,
User Rank: Apprentice
1/25/2012 | 11:18:50 AM
re: Is SSL Cert Holder ID Verification A Joke?
I agree with mya that COMODO providing the ssl certificated for E-commerce business to enhancement online business
Mya
50%
50%
Mya,
User Rank: Apprentice
1/24/2012 | 10:04:43 AM
re: Is SSL Cert Holder ID Verification A Joke?
The SSL certificates should be established in E-commerce business and it also important for money transaction oriented business and I also agree with joes12 that COMODO which maintains the highest level of security and trust with visitors,It was very much effective for my business transactions also.
joes12
50%
50%
joes12,
User Rank: Apprentice
1/24/2012 | 8:38:24 AM
re: Is SSL Cert Holder ID Verification A Joke?
Obtaining an Extended Validation SSL certificate requires a rigorous
validation performed by Comodo, a registered Certificate Authority (CA).
This is required to ensure that the company behind the site meets
Extended Validation standard. These strict validation guidelines help
keep the green address bar associated with only trusted organizations to
maintain the highest level of security and trust with visitors.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-1375
Published: 2015-01-28
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not properly restrict access to the upload functionality, which allows remote attackers to write to arbitrary files.

CVE-2015-1376
Published: 2015-01-28
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not validate hostnames, which allows remote authenticated users to write to arbitrary files via an upload URL with a host other than pixabay.com.

CVE-2015-1419
Published: 2015-01-28
Unspecified vulnerability in vsftp 3.0.2 and earlier allows remote attackers to bypass access restrictions via unknown vectors, related to deny_file parsing.

CVE-2014-5211
Published: 2015-01-27
Stack-based buffer overflow in the Attachmate Reflection FTP Client before 14.1.433 allows remote FTP servers to execute arbitrary code via a large PWD response.

CVE-2014-8154
Published: 2015-01-27
The Gst.MapInfo function in Vala 0.26.0 and 0.26.1 uses an incorrect buffer length declaration for the Gstreamer bindings, which allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, which trigger a heap-based buffer overf...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.