22

I have a domain, where some other users have access to upload files, use email, use XMPP, etc.

How can I prevent that these users go to a certificate authority and get a certificate for my domain? Unless the CA requires personal contact, how do they technically proof ownership of a domain?

(Assuming a somewhat "trusted" CA, i.e., one in the lists of browsers. This is not about how they should do it, but how they are or might be doing it in practice. One CA with a weak process would be sufficient for being compromised.)

For example:

  • Should I disallow uploading/editing files in a specific location, with a specific name? Is there some kind of reserved file location/name for owner verification?
  • Should I disallow giving out specific email adresses? Are there reserved addresses used by CAs?
    • Or is the email address from the Whois used? But what if there is no email specified?
  • Should I disallow giving out specific Jabber IDs? Do any CAs use XMPP at all?
  • Any other protocols that might be used? Something in the DNS?

(This question is related, but it’s about attackers that shouldn’t have access to the server in the first place. In my case, however, I want to give access to people; I just want to be sure what I shouldn’t allow them to do.)

Community
  • 1
unor
  • 1,769
  • 1
  • 19
  • 38

2 Answers2

39

Update: It seems like a Finnish man was able to demonstrate this "attack" by issuing a certificate for the domain live.fi by having the address hostmaster@live.fi.

Last year, I made a bet with a friend that I can get a browser-trusted certificate with his domain name in order to launch a successful MiTM attack on his login form to steal his password. Long story short: I lost the bet; I wasn't able to convince any of the 16 CAs I contacted that I'm the legitimate owner of the domain. Even though I had an email account on his mail server and had FTP access to a user directory under the WWW directory.

Let's go back a little. What do CAs do before issuing you a basic certificate? They have a process called Domain Control Validation (DCV). The good news is that DCV makes it difficult for somebody to issue a certificate on your behalf. The bad news is that each CA can make custom amendments and modifications to the DCV, which makes it impossible to tell which CA will be the weakest link.

Generally speaking, CAs use one of the following methods:

1. Domain Email Validation: They will send you a verification link/code to one of the following email addresses:

  • Whatever email you have in the WHOIS records (if you have WHOIS privacy, they'll ask you to contact your registerer and setup email forwarding).
  • admin@YourDomain
  • administrator@YourDomain
  • hostmaster@YourDomain
  • root@YourDomain
  • webmaster@YourDomain
  • postmaster@YourDomain


2. Domain CNAME Validation: They will ask you to create a custom CNAME entry. It usually involves hashes of your Certificate Signing Request (CSR) or a randomly-generated key of their choice. An example of such entry is

<MD5(CSR)>.yourdomain.com.  CNAME  <SHA1(CSR)>.CA.com


3. HTTP Request Validation: They will ask you to upload a specific text file to the root of your domain. The file should be accessible with the following HTTP request

http://YourDomain/<MD5(CSR)>.txt

And it should contain SHA1(CSR).

Interesting findings: During my "challenge", I managed to get one CA (SSL.COM) to agree on uploading the text file to Domain/MyUserName/Something.txt and email me the verification link to MyUserName@Domain. However, they insisted that they must verify me with a phone call to the number in the WHOIS records. I also found out that some CAs require a phone as a first-step verification, even before the email verification. Such CAs don't issue certificates for domain names using privacy options.

So, to directly answer your question, prevent your users from creating special email addresses (mentioned above. You also might want to add it@, hostadmin@, etc; prevent your users from creating CNAME entries; and, finally, prevent them from adding files to the root of your domain.

Note: Just because 16 CAs turned out to be good, it doesn't mean that there aren't ones out there that are willing to compromise in the name of "customer convience".

Adi
  • 43,808
  • 16
  • 135
  • 167
  • I wonder what they (SSL.COM) would have done if the Whois doesn’t provide the telephone number resp. an email address (not because of Whois privacy, but because some TLDs don’t require/show these, for example `.de`). – unor Mar 15 '14 at 12:33
  • 5
    That story deserves a wider audience - like ArsTechnica or Hackernews. Did you do a writeup? – scuzzy-delta Mar 15 '14 at 12:42
  • 3
    @unor I have no idea. This happened in late 2012, and I'd love to try again with some changes (such as using seemingly convincing email addresses like adminroot@domain, rootadmin@domain, etc. Or use spoof cards to call the CA and make the call appear as if it's from the WHOIS phone number, and other things) – Adi Mar 15 '14 at 13:48
  • @scuzzy-delta In its current state, my story lacks a lot of deatails that I've long forgotten. After reading the question this morning, I've been thinking about attempting the whole thing again, but this time with a bit more sophisticated approach. (check previous comment). I'll see if I can get somebody to sponsor this for me (last time I tried it, I paid about 170 EUR because some CAs didn't even seriosuly consider alternative verification options without paying first). – Adi Mar 15 '14 at 13:51
  • With your rep on this site, a Kickstarter would probably work. – scuzzy-delta Mar 15 '14 at 14:15
  • @scuzzy-delta Unfortunately, Kickstarter only accepts US, UK, Australia, New Zealand, and Canada-based founders. I'll try to find another way. If not, then I'll do it on my own. Hopefully I'll find the motivation – Adi Mar 15 '14 at 14:33
  • 5
    Ah, this story brings back memories. CA: We need to do a phone verification. Me: Hi, I'm Brian. CA: Can you prove it? Me: Sure, here's my boss. Boss: I'm his boss. He's Brian. CA: Great, thanks! You're all set. – Brian Mar 24 '14 at 19:29
  • Adnan, if you take @scuzzy-delta's advice and talk to Arstechnica, I have no doubt they would sponsor this. Kickstarter (and its ilk) is a bad idea, because publicity is a bad idea... I doubt this project would capture the hearts and minds of the public to an extent that it would become a problem, but with heartbleed causing waves you never know. – Jason Apr 09 '14 at 13:59
1

In my experience, the CA's will do one of two things:

  • Send a challenge email to the domain owner as listed in the WHOIS.
  • Request the customer to create a custom, but temporary DNS record.

Sometimes they may ask both.

Since this answer is somewhat anecdotal, I would suggest that you implement strong security regardless of whether they can create fake certificates or not. Google Apps for example requests sites to create a CNAME record, but will accept an HTML document uploaded instead. While this is not a CA, they are still working with verifying domain ownership.

Generally, having a user able to upload content to your website is problematic.

David Houde
  • 5,464
  • 1
  • 27
  • 22