N/A - VU#591120

Executive Summary

Summary
Title	Multiple SSL certificate authorities use predefined email addresses as proof of domain ownership

Informations
Name	VU#591120	First vendor Publication	2015-03-27
Vendor	VU-CERT	Last vendor Modification	2015-04-07
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score	Not Defined	Attack Range	Not Defined
Cvss Impact Score	Not Defined	Attack Complexity	Not Defined
Cvss Expoit Score	Not Defined	Authentication	Not Defined
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#591120

Multiple SSL certificate authorities use predefined email addresses as proof of domain ownership

Original Release date: 27 Mar 2015 | Last revised: 07 Apr 2015

Overview

Multiple SSL certificate authorities may issue certificates to a customer based solely on the control of certain email addresses. This may allow an attacker to obtain a valid SSL certificate to perform HTTPS spoofing without generating a warning in the client software.

Description

When a client such as a web browser accesses a resource using HTTPS, which subsequently uses SSL or TLS for encryption and authentication, the client is supposed to verify the certificate provided by the server. In particular, the client verifies that the certificate was issued by a root certificate authority (CA) that is trusted. This trust relationship relies upon the belief that the root certificate authorities have sufficiently verified that the individual requesting a certificate is doing so on behalf of the domain owner.

Many root CAs use the concept of "domain-authenticated" or similarly-named SSL certificates. These certificates may be issued with minimal proof of domain ownership. In some cases, an SSL certificate is provided simply based on the ability to use certain email addresses at the domain in question. According to RFC2142, the email address that should be used for DNS-related services should be hostmaster. According to the Mozilla CA Certificate Inclusion Policy as well as the CA/Browser Forum baseline requirements documents, the control of the addresses admin, administrator, webmaster, hostmaster, and postmaster can be used to prove domain ownership. However, some root CAs allow other email addresses to serve as proof of domain ownership. For example, a user who operates the email address ssladministrator@example.com may be able to obtain an SSL certificate for example.com.

Aside from EV certificates, the browser displays no difference between domain-authenticated certificates and certificates that were obtained through additional validation. For example, GeoCerts offers both domain-authenticated certificates and fully-authenticated certificates. However, from a client (e.g. web browser) perspective, there is no difference at all between the two certificates.

Domains of sites that are used for email purposes are at increased risk. If a user can register the email address of any one of the available addresses accepted by a single root CA for the purpose of domain-authenticated SSL certificates, then that user may be able to purchase a valid SSL certificate for that domain. We are unaware of a comprehensive list of email addresses accepted for domain-authenticated SSL certificates, but here is the policy used by Comodo. SSL resellers such as BuyHTTP list additional email addresses that can be used for email authentication for SSL certificate purchases.

Update: Upon further investigation, it appears that the SSL resellers that list email addresses outside of the five addresses listed in the CA/Browser BR document may be listing out-of-date guidance. In particular, that those email aliases may have been accepted by their upstream root CAs in the past for issuing certificates. However, we cannot rule out the possibilities that an attacker has used such an email to obtain a fraudulent certificate in the past using such an email address, or that there is at least one root CA that will currently accept a non-whitelisted email address as domain ownership validation.

Impact

An attacker may be able to obtain a certificate for a domain that somebody else owns. With such a certificate, the attacker can spoof HTTPS sites and intercept HTTPS traffic without triggering client certificate warnings.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workarounds:

Block access to sensitive accounts

Sites that provide email accounts to users should restrict the ability to create email accounts that are trusted by root CAs. At the very least, users should not be able to create the email addresses for admin, administrator, webmaster, hostmaster, and postmaster. BuyHTTP lists those addresses as well as root, ssladmin, sysadmin, info, is, it, mis, ssladministrator, and sslwebmaster. If users have already created accounts that match up to these special names, those accounts should be disabled. Failure to do so can result in a user being able to obtain an SSL certificate for the domain in question.

Note that the above list of email addresses is not necessarily comprehensive. There may be at least one root CA that supports at least one additional email address as proof of domain ownership.

Vendor Information (Learn More)

The vendors listed as "affected" here are CAs that provide email-authenticated domain-validated SSL certificates. Although the CA/Browser Forum baseline requirements documents list email authentication using predefined aliases as a valid form of domain validation (section 11.1.1), CERT's stance is that such email authentication is not sufficient proof of domain ownership. Email providers that may be affected by fraudulent acquisition of SSL certificates by email are not listed here.

Vendor	Status	Date Notified	Date Updated
Actalis	Affected	-	26 Mar 2015
CERTUM	Affected	-	26 Mar 2015
COMODO Security Solutions, Inc.	Affected	-	26 Mar 2015
ComSign	Affected	-	26 Mar 2015
e-tugra	Affected	-	26 Mar 2015
GeoTrust	Affected	-	27 Mar 2015
GlobalSign	Affected	-	26 Mar 2015
GoDaddy	Affected	-	26 Mar 2015
OATI	Affected	-	26 Mar 2015
QuoVadis	Affected	-	26 Mar 2015
RapidSSL	Affected	-	26 Mar 2015
StartCom Ltd.	Affected	-	26 Mar 2015
SwissSign AG	Affected	-	26 Mar 2015
Thawte	Affected	-	26 Mar 2015
Trustwave	Affected	-	26 Mar 2015

If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group	Score	Vector
Base	6.4	AV:A/AC:M/Au:N/C:C/I:P/A:N
Temporal	6.4	E:H/RL:U/RC:C
Environmental	6.4	CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

https://www.ietf.org/rfc/rfc2142.txt
https://www.schneier.com/paper-pki-ft.txt
https://wiki.mozilla.org/CA:IncludedCAs
https://support.apple.com/en-us/HT204132
http://social.technet.microsoft.com/wiki/contents/articles/14215.windows-and-windows-phone-8-ssl-root-certificate-program-member-cas.aspx
https://intrepidusgroup.com/insight/2008/12/more-than-one-way-to-skin-a-ca/
https://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-zusman-hacking_pki.pdf
http://www.theregister.co.uk/2011/04/11/state_of_ssl_analysis/
http://www.thoughtcrime.org/blog/ssl-and-the-future-of-authenticity/
https://groups.google.com/d/topic/mozilla.dev.security.policy/huhtdBOEyas
http://news.slashdot.org/story/10/04/18/1218212/Become-an-SSLAdmin-In-a-Few-Easy-Steps
https://raymii.org/s/blog/How_I_got_a_valid_SSL_certificate_for_my_ISPs_main_website.html
http://arstechnica.com/security/2015/03/bogus-ssl-certificate-for-windows-live-could-allow-man-in-the-middle-hacks/
https://kurt.seifried.org/2010/04/20/verisign-certificate-authority-finally-fixes-part-of-the-domain-verification-problem/
http://betanews.com/2010/03/31/security-researcher-trivially-easy-to-buy-ssl-certificate-for-domain-you-don-t-own/
http://www.net.in.tum.de/fileadmin/bibtex/publications/papers/ssl-landscape-trento.pdf
http://en.wikipedia.org/wiki/CA/Browser_Forum
https://cabforum.org/
https://bugzilla.mozilla.org/show_bug.cgi?id=477783
https://bugzilla.mozilla.org/show_bug.cgi?id=556468
http://www.darkreading.com/endpoint/authentication/is-ssl-cert-holder-id-verification-a-joke/d/d-id/1136978?
https://www.trustico.com/validation/how-fast-is-my-ssl-certificate-issued.php
https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/791/16/alternative-methods-of-domain-control-validation-dcv
https://support.his.com/supp/kb/article/400-Email_Authentication_for_Domain_validated_SSL_certificates
http://account.buyhttp.com/knowledgebase/753/Which-email-address-can-approve-SSL-certificate-order.html
http://certum.eu/certum/cert,offer_Commercial_SSL.dxml?MEDIA=pdf
http://evssl.com.ua/docs/thawte/enroll_ssl123_eng.pdf
http://host.dynamicwebhost.net/features/approvedemail.htm
https://www.geocerts.com/api_spec.pdf
https://www.onestepssl.com/onestepssl_validation_process.php
http://www.domainpurpose.com/ssl-faqs.htm
http://kb.canvashost.com/?p=935

Credit

This document was written by Will Dormann.

Other Information

CVE IDs:Unknown
Date Public:31 Dec 2008
Date First Published:27 Mar 2015
Date Last Updated:07 Apr 2015
Document Revision:99

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/591120

Alert History

If you want to see full details history, please login or register.

Date	Informations
2015-04-07 21:26:08	Multiple Updates
2015-04-07 17:25:33	Multiple Updates
2015-04-03 05:24:35	Multiple Updates
2015-04-02 13:25:14	Multiple Updates
2015-04-02 05:24:34	Multiple Updates
2015-04-01 17:20:35	Multiple Updates
2015-04-01 00:24:35	Multiple Updates
2015-03-31 17:24:57	Multiple Updates
2015-03-31 13:25:46	Multiple Updates
2015-03-31 05:24:42	Multiple Updates
2015-03-31 00:24:40	Multiple Updates
2015-03-30 21:25:28	Multiple Updates
2015-03-28 00:24:45	Multiple Updates
2015-03-27 21:25:24	Multiple Updates
2015-03-27 17:24:58	First insertion