18

This is what I understand so far from reading various knowledge bases and articles about DV SSL. Can anyone please help clarify if any of these is wrong?

  • DV SSL (and SSL certificate in general) is only associated with a domain name, not the IP address configured under DNS for that domain. Hence if I change the IP on my domain's A record I don't need to repurchase another SSL certificate
  • Most DV SSL providers (eg: GoDaddy) will verify domain name ownership by sending an email to the address registered in the domain 'whois' record
  • Although DV SSL is the 'lowest end' of SSL certification, as long as the private key and the email password did not fall into the wrong hand, no hacker should be able to register a DV SSL for my domain and / or setup a fake phishing website under my domain name without the browser warning the user for possible attack
techraf
  • 9,141
  • 11
  • 44
  • 62
gerrytan
  • 283
  • 1
  • 2
  • 6

3 Answers3

17

A Certification Authority, before issuing a certificate to an entity E, with E's name and E's public key in the certificate, is supposed to verify that the public key in question really belongs to E. For SSL server certificate:

  • E's name is a host name, like www.google.com, possibly with a "wildcard" (*.google.com). This is what SSL clients verify; this is all about names, not IP addresses.
  • The public key is received by the CA as a certificate request.

So the notion of "identity" in force here is really a question of domain ownership. The CA wants to make sure that it received the request from someone who controls the domain. There are several methods for that; the two most used are the following:

  • The CA sends a challenge by email to the email address specified for the domain in the WHOIS database.
  • The CA challenges the requester with some information to be included in the domain, e.g. a random host name to be included in the DNS.

These checks are not extremely robust (they rely on the "impossibility" to hack into, respectively, emails or the DNS, neither being well protected) so there is a recent fashion for stronger verifications, called Extended Validation Certificates. For an EV certificate, the CA is supposed to do a lot more paperwork to make sure that it talks to the right entity. Retrospectively, non-EV certificates are dubbed "DV" (as "domain validated").

The net effect of an EV certificate is that Web browsers recognize them as such, and may show that fact to the human user with a more lavish display, with a lot of green. But non-EV certificates technically work just as well. An EV certificate is worth the effort only if your users are trained to recognize EV certificates and feel more comfortable with an EV certificate than they would with a "normal" certificate (which is still shown with the famous "padlock" icon). Right now, I'd say that most Internet users are far from being aware of the distinction, so buying an EV certificate is kind of useless.

(EV certificates will become useful when they become mandatory, i.e. when Web browsers begin to reject or warn about SSL server certificates which seem valid but are not tagged "EV". This is a rather tough transition and I don't see it happening in the near future.)

For a bad guy to obtain a seemingly valid certificate with your server name in it (the prerequisite for mounting a really successful impersonation attack), he must do one of the following:

  • Fool the CA. Fooling the CA is harder for EV certificates (that's the point). However, even if you get an EV certificate, it would not prevent the attacker from obtaining a non-EV certificate in your name from a gullible CA. An EV certificate will protect you against sloppy CA only as long as your clients are trained to pause and become suspicious if they see a seemingly valid but non-EV certificate bearing your site name. This hardly seems realistic right now.

  • Steal your private key. If an attacker steals your private key, then he can use it with your certificate (which is public) to install his fake server. EV or non-EV is irrelevant here; what matters is that you should protect your private key well. If your server is broken into, inform the CA so that it may revoke your certificate, and issue you another one (with a new key).

  • Fool the human user into disregarding the very red and scary warnings from the browser when an invalid certificate is shown. You cannot really defend against that, except through educating your users. The warnings shown by Web browsers tend to increase in scariness (and redness, too) over time.

  • Fool the human user into connecting to an attacker-owned domain with a perfectly valid certificate, and a name which looks like the intended server name. E.g. www.gogle.com or www.google.business.com instead of www.google.com (fictitious examples). There again, only user education can really work against that.

Most phishing attacks are based on one of the last two methods, so this means that you should not be overly worried over the DV/EV dichotomy. The really important point for security is user education.

Community
  • 1
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • "_An EV certificate will protect you against sloppy CA only as long as your clients are trained to pause and become suspicious if they see a seemingly valid but non-EV certificate bearing your site name._" and by client, you mean client software, right? – curiousguy Aug 27 '13 at 14:40
  • 1
    More human users than client software, here. Software has no real way to _know_ that a given site ought to have an EV certificate, and not a "normal" certificate. – Thomas Pornin Aug 27 '13 at 14:49
  • 2
    What about a browser who has just seen an EV certificate, who sees another cert? – curiousguy Aug 27 '13 at 16:50
  • Right now, Web browsers validate certificates as if it was a whole new site every time. They don't have _memory_. [Convergence](http://convergence.io/) is a proposal which, in part, relies on the idea that normal Web sites don't switch certificates every 5 minutes, and raise alarms in case such a thing apparently occurs. A stock browser, though, won't mind in any way. Such features _might_ appear in browsers in the future, but browser vendors are wary of breaking multi-frontend sites, and therefore won't make much effort until this becomes really necessary. – Thomas Pornin Aug 27 '13 at 16:56
  • 1
    @ThomasPornin, Google's cert is DV right? Seems like EV is really not the future, especially with Google being [hopping mad](http://www.theregister.co.uk/2015/03/24/google_ssl_cnnic/) with CAs. – Pacerier May 22 '15 at 03:43
  • @mikemaccana, Did you mean to say something about that quote? – Chris Murray Aug 21 '15 at 10:15
3

Domain-validated SSL certificates (DV) are technically the same as extended-validation certificates (EV).

The reason, EV-certificates are more expensive is, that apart from the domain name, the seller also has to check further informations about your identity. To verify that you really are the owner of google.com he needs to contact you and has to do other administrative work.

For most smaller websites the domain-validated certificate is fine, the user will have no disadvantages and the EV-certificates are really too expensive in my opinion (the effort doesn't justify the price).

martinstoeckli
  • 5,149
  • 2
  • 27
  • 32
  • How much more would we have to pay on average for EV? – Pacerier May 22 '15 at 03:45
  • @Pacerier - The prices vary very much and are dependend of your country. I can only speak for switzerland, there you can buy a domain validated certificate for about 50$ per year, and you get an ev certificate for 300-1200$ per year. – martinstoeckli May 22 '15 at 06:52
  • Wow $1200, talk about selling stones as diamonds. – Pacerier May 22 '15 at 10:58
3

The current answer has some inaccuracies:

  • EV SSL matches identity to the public key in the certificate
  • DV SSL does not

All domain validated SSL does is prove you have a domain name. A DV SSL cert makes no connection between a legal entity and the certificate.

In the current answer:

no hacker should be able to register a DV SSL for my domain and / or setup a fake phishing website under my domain name without the browser warning the user for possible attack

This isn't correct:

  • Someone could register yourdomainlogin.com, or yourdomain.com.tld. Here are domain validated certs being issued for https://google.com.mg and https://google.com.im.

  • Anyone else could register *.otherdomain.com. Then later add the host yourdomaincom.otherdomain.com. This is how phishing scams work. Wildcards like this are allowed for DV SSL, and forbidden for EV.

  • Yes, really. You can get a domain validated certificate for a domain like somecompanysupport.com, even though you have nothing to do with Some Company, and it's considered fine.

From the current marked answer:

"the entity's name is a host name, this is what SSL certificates verify"

Is only correct for domain validated certificates. The subject - what an SSL certificate is verifying owns the public key in the certificate may either be:

  • a domain name (or wildcard domain) for domain validated certificates. Again, domain validated SSL does not assert that this matches any particular legal entity.

  • the ID of a business or incorporated organization that was verified with a EV certificate

From https://certsimple.com/blog/are-ev-ssl-certificates-worth-it:

Looking at domain validated certificate:

openssl x509 -in domain-validated-example.com.crt -noout -text | grep Subject
 OU=Domain Control Validated
 CN=billing.example.com
 DNS:billing.example.com

Here is an EV cert, containing a government-registered company ID rather than a domain name:

openssl x509 -in extended-validated-example.com.crt -noout -text | grep Subject:
   jurisdictionOfIncorporationCountryName=GB
   businessCategory=Private Organization
   serialNumber=09378892
   C=GB
   ST=City of London
   L=London
   O=example Limited
   CN=billing.example.com
   DNS:billing.example.com -

Companies in the UK are registered with a UK-wide organization called Companies House. The serialNumber 09378892 in the certificate above is a company registration number from Companies House.

In the USA, organisations are registered on a per-state basis, so serialNumbers in US certificates refer to a company ID at the relevant Secretary of State.

mikemaccana
  • 413
  • 3
  • 14
  • While this is true, that EV certs are against both the domain and organisation, the browser does not actually verify that it's owned by the correct company. The browser can only check that the cert's domain is the same as the actual domain visited, it cannot check that the cert's serial number actually represents the correct company. It's meant more for the human at the computer to be able to check and verify who owns the domain. – Chris Murray Aug 21 '15 at 10:21
  • I don't think the wildcard is relevant when you talk about setting up a phishing domain name. There's no reason why I wouldn't be able to set up google.com.example.com and apply for a EV cert to cover that domain. And it's important to point out that doing this will not grant me a cert for the OPs domain; the cert will be for my domain, which is deliberately set up to look like the OPs. – Chris Murray Aug 21 '15 at 10:26
  • @ChrisMurray yes, the browser does not verify the certificate is owned by the correct company: **the browser verifies that the certificate has been signed by a CA who has verified the identity of the company**. – mikemaccana Aug 21 '15 at 15:51
  • There are two specific reasons why couldn't set up 'google.com.example.com and apply for a EV cert' 1. If you tried to register that directly, the EV requirements mandate human inspection of all domain names and it would be rejected 2. Wildcards are banned for EV for this reason. – mikemaccana Jan 14 '16 at 11:22