Endpoint // Authentication
1/24/2012
12:55 AM
Connect Directly
RSS
E-Mail
50%
50%

Is SSL Cert Holder ID Verification A Joke?

Some complain that certificate authorities don't do enough to verify identities for 'domain-validated' certificates

With the release of the BEAST exploit and subsequent scrambling by browser vendors to close up vulnerabilities against SSL authentication, many Web authentication discussions have been focused on the SSL/TLS protocol’s weaknesses in recent months. As some IT professionals explain, though, some of the biggest problems with SSL have nothing to do with the technology. Instead, the woes are attributed to poor practices.

According to some, one finger should be pointed at certificate authorities (CAs), which they say need to do a better job confirming the identity of certificate holders in order to bolster the trust placed in SSL certificates.

“SSL has been burdened with procedural failures, not technical ones. The issue is simple in concept, and complicated in execution: Verifying a user's identity can't be done reliably by a machine,” says Bill Horne, who runs William Warren Consulting. “At some point, anyone who is trying to convince Web users that their PKI certificate is valid must venture into meatspace and show up before a neutral third party to prove that they -- or their company -- are entitled to use the name that's on their X.509 PKI certificate.”

Chet Wisniewski, senior security adviser at Sophos, echoes Horne’s sentiments, stating that he doesn’t think the SSL protocol is broken aside from the fact it relies on the antiquated model of relying on central CAs.

“The methods they use to verify your identity are a bit of a joke. You can get an SSL certificate for just about anything. For $19, which is what these certs cost, they're domain-validated, which just doesn't mean a lot,” he says. “As far as I'm concerned, having those certs there is better than nothing because it protects you against things like Firesheep. But they should be free, and the fact that they say they validate who [the certificate holders] say they are -- it’s just horse manure.”

According to Horne, he believes many CAs have chosen to pretend that it’s possible to automate the critical step of verifying a certificate holder’s identity.

“It isn't, but it's a lot more profitable to pretend that it is,” he says. “That's the economic problem in a nutshell: Paying humans to verify certificate-holder identities is expensive, but there's no other way to reliably verify an identity.”

And, in fact, CAs realized the time and resources it takes to more painstakingly verify certificate holder identities: That’s where the whole idea of extended validation SSL certificates came from. When they were rolled out several years ago, the thought was to charge more for a more extensive check-up on the certificate holder and offer a color-coded "green bar" in the browser address bar to indicate the site is protected with an EV SSL certificate.

“Granted, when you do the extended validation, you get that fantastic green badge in your browser, and in that case they do want some documentation proving that in some way you're affiliated with this business and you've got some papers to show it. And it's a little more rigorous process -- which is the way it used to be just to get a domain,” Wisniewski says. “But even that isn’t foolproof.”

For example, the cost of these EV-SSL certificates may still be seen as prohibitive and can lead to issues of "mixed content," where some pages of a site may be protected with EV-SSL certificates, some with plain-vanilla certificates and some not encrypted at all. This is an all-too-common problem that frequently leads to vulnerabilities within sites and shows that both the CAs and site owners bear responsibility in the complicated SSL ecosystem.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
EChickowski921
50%
50%
EChickowski921,
User Rank: Apprentice
1/26/2012 | 11:44:29 PM
re: Is SSL Cert Holder ID Verification A Joke?
Good points, Josh. That's exactly what Chet at Sophos was venting about when we chatted about these issues prior to this story. There was a time when the verification that went into EV certs were just-á what it took to get a cert validated.
joshbw
50%
50%
joshbw,
User Rank: Apprentice
1/25/2012 | 4:09:58 PM
re: Is SSL Cert Holder ID Verification A Joke?
One of the many, many-áthings that undermines trust in-áComodo is when they visibily and obviously astroturf a comment thread.-á The various breaches at CAs, such as the breach at Comodo, also call into question whether you can trust Comodo.-á In fact the only reason Comodo has any business is because they are guilty of selling $15 domain validated certs without any due dilligence - exactly the behavior that the article rails against.

Anyway, enough bashing Comodo and their transparent comments here - what I find ludicrous is that a person has to pay a hansome premium to get EV certs, when all the EV means is that the CA actually tried to verify who they were giving the cert to... You know, what a CA should ALWAYS be doing.-á There shouldn't be domain validated and extended validated certs - there should just be properly validated recipients in all cases.-á It's sad that a premium must be paid to get CAs to do what they always should be doing
JJ1819
50%
50%
JJ1819,
User Rank: Apprentice
1/25/2012 | 12:28:59 PM
re: Is SSL Cert Holder ID Verification A Joke?
An important motivation for using SSL Cert is to add trust to on-line. only the certificates which has authority can add trust.the comodo has authorized SSL Cert .
MS8699
50%
50%
MS8699,
User Rank: Apprentice
1/25/2012 | 11:18:50 AM
re: Is SSL Cert Holder ID Verification A Joke?
I agree with mya that COMODO providing the ssl certificated for E-commerce business to enhancement online business
Mya
50%
50%
Mya,
User Rank: Apprentice
1/24/2012 | 10:04:43 AM
re: Is SSL Cert Holder ID Verification A Joke?
The SSL certificates should be established in E-commerce business and it also important for money transaction oriented business and I also agree with joes12 that COMODO which maintains the highest level of security and trust with visitors,It was very much effective for my business transactions also.
joes12
50%
50%
joes12,
User Rank: Apprentice
1/24/2012 | 8:38:24 AM
re: Is SSL Cert Holder ID Verification A Joke?
Obtaining an Extended Validation SSL certificate requires a rigorous
validation performed by Comodo, a registered Certificate Authority (CA).
This is required to ensure that the company behind the site meets
Extended Validation standard. These strict validation guidelines help
keep the green address bar associated with only trusted organizations to
maintain the highest level of security and trust with visitors.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.