Endpoint // Authentication
1/24/2012
12:55 AM
50%
50%

Is SSL Cert Holder ID Verification A Joke?

Some complain that certificate authorities don't do enough to verify identities for 'domain-validated' certificates

With the release of the BEAST exploit and subsequent scrambling by browser vendors to close up vulnerabilities against SSL authentication, many Web authentication discussions have been focused on the SSL/TLS protocol’s weaknesses in recent months. As some IT professionals explain, though, some of the biggest problems with SSL have nothing to do with the technology. Instead, the woes are attributed to poor practices.

According to some, one finger should be pointed at certificate authorities (CAs), which they say need to do a better job confirming the identity of certificate holders in order to bolster the trust placed in SSL certificates.

“SSL has been burdened with procedural failures, not technical ones. The issue is simple in concept, and complicated in execution: Verifying a user's identity can't be done reliably by a machine,” says Bill Horne, who runs William Warren Consulting. “At some point, anyone who is trying to convince Web users that their PKI certificate is valid must venture into meatspace and show up before a neutral third party to prove that they -- or their company -- are entitled to use the name that's on their X.509 PKI certificate.”

Chet Wisniewski, senior security adviser at Sophos, echoes Horne’s sentiments, stating that he doesn’t think the SSL protocol is broken aside from the fact it relies on the antiquated model of relying on central CAs.

“The methods they use to verify your identity are a bit of a joke. You can get an SSL certificate for just about anything. For $19, which is what these certs cost, they're domain-validated, which just doesn't mean a lot,” he says. “As far as I'm concerned, having those certs there is better than nothing because it protects you against things like Firesheep. But they should be free, and the fact that they say they validate who [the certificate holders] say they are -- it’s just horse manure.”

According to Horne, he believes many CAs have chosen to pretend that it’s possible to automate the critical step of verifying a certificate holder’s identity.

“It isn't, but it's a lot more profitable to pretend that it is,” he says. “That's the economic problem in a nutshell: Paying humans to verify certificate-holder identities is expensive, but there's no other way to reliably verify an identity.”

And, in fact, CAs realized the time and resources it takes to more painstakingly verify certificate holder identities: That’s where the whole idea of extended validation SSL certificates came from. When they were rolled out several years ago, the thought was to charge more for a more extensive check-up on the certificate holder and offer a color-coded "green bar" in the browser address bar to indicate the site is protected with an EV SSL certificate.

“Granted, when you do the extended validation, you get that fantastic green badge in your browser, and in that case they do want some documentation proving that in some way you're affiliated with this business and you've got some papers to show it. And it's a little more rigorous process -- which is the way it used to be just to get a domain,” Wisniewski says. “But even that isn’t foolproof.”

For example, the cost of these EV-SSL certificates may still be seen as prohibitive and can lead to issues of "mixed content," where some pages of a site may be protected with EV-SSL certificates, some with plain-vanilla certificates and some not encrypted at all. This is an all-too-common problem that frequently leads to vulnerabilities within sites and shows that both the CAs and site owners bear responsibility in the complicated SSL ecosystem.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
EChickowski921
50%
50%
EChickowski921,
User Rank: Apprentice
1/26/2012 | 11:44:29 PM
re: Is SSL Cert Holder ID Verification A Joke?
Good points, Josh. That's exactly what Chet at Sophos was venting about when we chatted about these issues prior to this story. There was a time when the verification that went into EV certs were just-á what it took to get a cert validated.
joshbw
50%
50%
joshbw,
User Rank: Apprentice
1/25/2012 | 4:09:58 PM
re: Is SSL Cert Holder ID Verification A Joke?
One of the many, many-áthings that undermines trust in-áComodo is when they visibily and obviously astroturf a comment thread.-á The various breaches at CAs, such as the breach at Comodo, also call into question whether you can trust Comodo.-á In fact the only reason Comodo has any business is because they are guilty of selling $15 domain validated certs without any due dilligence - exactly the behavior that the article rails against.

Anyway, enough bashing Comodo and their transparent comments here - what I find ludicrous is that a person has to pay a hansome premium to get EV certs, when all the EV means is that the CA actually tried to verify who they were giving the cert to... You know, what a CA should ALWAYS be doing.-á There shouldn't be domain validated and extended validated certs - there should just be properly validated recipients in all cases.-á It's sad that a premium must be paid to get CAs to do what they always should be doing
JJ1819
50%
50%
JJ1819,
User Rank: Apprentice
1/25/2012 | 12:28:59 PM
re: Is SSL Cert Holder ID Verification A Joke?
An important motivation for using SSL Cert is to add trust to on-line. only the certificates which has authority can add trust.the comodo has authorized SSL Cert .
MS8699
50%
50%
MS8699,
User Rank: Apprentice
1/25/2012 | 11:18:50 AM
re: Is SSL Cert Holder ID Verification A Joke?
I agree with mya that COMODO providing the ssl certificated for E-commerce business to enhancement online business
Mya
50%
50%
Mya,
User Rank: Apprentice
1/24/2012 | 10:04:43 AM
re: Is SSL Cert Holder ID Verification A Joke?
The SSL certificates should be established in E-commerce business and it also important for money transaction oriented business and I also agree with joes12 that COMODO which maintains the highest level of security and trust with visitors,It was very much effective for my business transactions also.
joes12
50%
50%
joes12,
User Rank: Apprentice
1/24/2012 | 8:38:24 AM
re: Is SSL Cert Holder ID Verification A Joke?
Obtaining an Extended Validation SSL certificate requires a rigorous
validation performed by Comodo, a registered Certificate Authority (CA).
This is required to ensure that the company behind the site meets
Extended Validation standard. These strict validation guidelines help
keep the green address bar associated with only trusted organizations to
maintain the highest level of security and trust with visitors.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5426
Published: 2014-11-27
MatrikonOPC OPC Server for DNP3 1.2.3 and earlier allows remote attackers to cause a denial of service (unhandled exception and DNP3 process crash) via a crafted message.

CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?