Blogs

RSS FeedBlogs
RSS FeedSubscribe to this blog
About Author
Security spotlight

Contact

Email

SSL domain authentication needs improvement

Should we really be taking the domain owner's word for it?

Article comments

In her Dark Reading article, "Is SSL Cert Holder ID Verification a Joke?", Ericka Chickowski discusses if certificate authorities do enough identity checking for Domain Validated (DV) certificates. I am myself perhaps notorious for writing that it's not a joke, it's a farce.

Domain Validated certificates are issued typically with the same vetting that you'd use to subscribe to an email list — a simple response to an email is good enough. Sometimes an email response is just fine; for example, a certificate for S/MIME email would hardly need more than proving you own the email address. But for an SSL certificate, this is barely better than just taking the applicant's word for it.

I think Chet Wisniewski of Sophos has it pretty much correct when he says, "…the fact that they say they validate who [the certificate holders] say they are, it’s just horse manure". If it were up to me, I'd solve the issue by not having the browser light the lock for a DV certificate.

Entrust doesn't issue Domain Validated certificates at all. We issue only the more rigorous Organization Validated certificates and Extended Validation certificates (a.k.a. Green Bar certificates). Entrust vets the identity and ownership of the domain against a variety of databases before issuing a certificate for a domain. I got Entrust certificates for my personal domains, and there was an impressive check I had to go through.

There is even more checking done for EV certs. Not only is there a more rigorous check, but the CA has to have better operations. For example, if revocation checks don't come back with an affirmative in just a couple seconds, the browser does not light the green bar (or at least is not supposed to, I'm not going to claim that every browser is bug-free).

The domain itself also needs to make sure that it protects all content, or again, the browser downgrades the connection. This is the only place I'd disagree with the article. If there are these sorts of setup problems on an EV-protected site, the browser drops the EV signals. There's a lot of variation in how different browsers handle the different edge conditions — I've been testing them myself, and those variations will make a great blog post.

Nonetheless, the basic thrust of the article is spot on. DV certs are barely worth the bits they're written with, and we would all be better off if they didn't give an indication of trust in the browser (the lock) when there's no real vetting done.


Jon Callas is a renowned information security expert and CTO of Entrust. Jon previously co-founded and was CTO for PGP Corporation, as well as a stint as Security Privateer for Apple. His work in security policy supported the end of US cryptography export restrictions and help secure the modern Internet.

Share:

Comments

Send to a friend

Email this article to a friend or colleague:


PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.


We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

ComputerworldUK Knowledge Vault

ComputerworldUK
Share
x
Open