Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Authentication

1/24/2012
12:55 AM
50%
50%

Is SSL Cert Holder ID Verification A Joke?

Some complain that certificate authorities don't do enough to verify identities for 'domain-validated' certificates

With the release of the BEAST exploit and subsequent scrambling by browser vendors to close up vulnerabilities against SSL authentication, many Web authentication discussions have been focused on the SSL/TLS protocol’s weaknesses in recent months. As some IT professionals explain, though, some of the biggest problems with SSL have nothing to do with the technology. Instead, the woes are attributed to poor practices.

According to some, one finger should be pointed at certificate authorities (CAs), which they say need to do a better job confirming the identity of certificate holders in order to bolster the trust placed in SSL certificates.

“SSL has been burdened with procedural failures, not technical ones. The issue is simple in concept, and complicated in execution: Verifying a user's identity can't be done reliably by a machine,” says Bill Horne, who runs William Warren Consulting. “At some point, anyone who is trying to convince Web users that their PKI certificate is valid must venture into meatspace and show up before a neutral third party to prove that they -- or their company -- are entitled to use the name that's on their X.509 PKI certificate.”

Chet Wisniewski, senior security adviser at Sophos, echoes Horne’s sentiments, stating that he doesn’t think the SSL protocol is broken aside from the fact it relies on the antiquated model of relying on central CAs.

“The methods they use to verify your identity are a bit of a joke. You can get an SSL certificate for just about anything. For $19, which is what these certs cost, they're domain-validated, which just doesn't mean a lot,” he says. “As far as I'm concerned, having those certs there is better than nothing because it protects you against things like Firesheep. But they should be free, and the fact that they say they validate who [the certificate holders] say they are -- it’s just horse manure.”

According to Horne, he believes many CAs have chosen to pretend that it’s possible to automate the critical step of verifying a certificate holder’s identity.

“It isn't, but it's a lot more profitable to pretend that it is,” he says. “That's the economic problem in a nutshell: Paying humans to verify certificate-holder identities is expensive, but there's no other way to reliably verify an identity.”

And, in fact, CAs realized the time and resources it takes to more painstakingly verify certificate holder identities: That’s where the whole idea of extended validation SSL certificates came from. When they were rolled out several years ago, the thought was to charge more for a more extensive check-up on the certificate holder and offer a color-coded "green bar" in the browser address bar to indicate the site is protected with an EV SSL certificate.

“Granted, when you do the extended validation, you get that fantastic green badge in your browser, and in that case they do want some documentation proving that in some way you're affiliated with this business and you've got some papers to show it. And it's a little more rigorous process -- which is the way it used to be just to get a domain,” Wisniewski says. “But even that isn’t foolproof.”

For example, the cost of these EV-SSL certificates may still be seen as prohibitive and can lead to issues of "mixed content," where some pages of a site may be protected with EV-SSL certificates, some with plain-vanilla certificates and some not encrypted at all. This is an all-too-common problem that frequently leads to vulnerabilities within sites and shows that both the CAs and site owners bear responsibility in the complicated SSL ecosystem.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ericka Chickowski
50%
50%
Ericka Chickowski,
User Rank: Moderator
1/26/2012 | 11:44:29 PM
re: Is SSL Cert Holder ID Verification A Joke?
Good points, Josh. That's exactly what Chet at Sophos was venting about when we chatted about these issues prior to this story. There was a time when the verification that went into EV certs were just- what it took to get a cert validated.
joshbw
50%
50%
joshbw,
User Rank: Apprentice
1/25/2012 | 4:09:58 PM
re: Is SSL Cert Holder ID Verification A Joke?
One of the many, many-things that undermines trust in-Comodo is when they visibily and obviously astroturf a comment thread.- The various breaches at CAs, such as the breach at Comodo, also call into question whether you can trust Comodo.- In fact the only reason Comodo has any business is because they are guilty of selling $15 domain validated certs without any due dilligence - exactly the behavior that the article rails against.

Anyway, enough bashing Comodo and their transparent comments here - what I find ludicrous is that a person has to pay a hansome premium to get EV certs, when all the EV means is that the CA actually tried to verify who they were giving the cert to... You know, what a CA should ALWAYS be doing.- There shouldn't be domain validated and extended validated certs - there should just be properly validated recipients in all cases.- It's sad that a premium must be paid to get CAs to do what they always should be doing
JJ1819
50%
50%
JJ1819,
User Rank: Apprentice
1/25/2012 | 12:28:59 PM
re: Is SSL Cert Holder ID Verification A Joke?
An important motivation for using SSL Cert is to add trust to on-line. only the certificates which has authority can add trust.the comodo has authorized SSL Cert .
MS8699
50%
50%
MS8699,
User Rank: Apprentice
1/25/2012 | 11:18:50 AM
re: Is SSL Cert Holder ID Verification A Joke?
I agree with mya that COMODO providing the ssl certificated for E-commerce business to enhancement online business
Mya
50%
50%
Mya,
User Rank: Apprentice
1/24/2012 | 10:04:43 AM
re: Is SSL Cert Holder ID Verification A Joke?
The SSL certificates should be established in E-commerce business and it also important for money transaction oriented business and I also agree with joes12 that COMODO which maintains the highest level of security and trust with visitors,It was very much effective for my business transactions also.
joes12
50%
50%
joes12,
User Rank: Apprentice
1/24/2012 | 8:38:24 AM
re: Is SSL Cert Holder ID Verification A Joke?
Obtaining an Extended Validation SSL certificate requires a rigorous
validation performed by Comodo, a registered Certificate Authority (CA).
This is required to ensure that the company behind the site meets
Extended Validation standard. These strict validation guidelines help
keep the green address bar associated with only trusted organizations to
maintain the highest level of security and trust with visitors.
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26252
PUBLISHED: 2021-01-20
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server ...
CVE-2020-26278
PUBLISHED: 2021-01-20
Weave Net is open source software which creates a virtual network that connects Docker containers across multiple hosts and enables their automatic discovery. Weave Net before version 2.8.0 has a vulnerability in which can allow an attacker to take over any host in the cluster. Weave Net is suppli...
CVE-2021-1235
PUBLISHED: 2021-01-20
A vulnerability in the CLI of Cisco SD-WAN vManage Software could allow an authenticated, local attacker to read sensitive database files on an affected system. The vulnerability is due to insufficient user authorization. An attacker could exploit this vulnerability by accessing the vshell of an af...
CVE-2021-1241
PUBLISHED: 2021-01-20
Multiple vulnerabilities in Cisco SD-WAN products could allow an unauthenticated, remote attacker to execute denial of service (DoS) attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
CVE-2021-1247
PUBLISHED: 2021-01-20
Multiple vulnerabilities in certain REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.