17

When registering for an SSL cert, I was able to validate that I "owned" the domain I was creating the cert for by having a valid @domain.com email address. If I worked for a large company, say Microsoft or something, and have a valid me@microsoft.com email address, how am I prevented from being able to create a valid SSL cert for microsoft.com?

Maybe Microsoft has something in place to handle this, but what if the company is a bit smaller and doesn't have anything in place?

Anthony Kraft
  • 1,139
  • 1
  • 8
  • 18
  • I can't believe an E-Mail address was enough. I was required to have the domain owner's phone number be entered to a public phone book to verify my identity. Funny enough, at that point I didn't even have a business phone number. I got a new mobile phone contract just for the purpose of this SSL cert. It wasn't even an EV cert! – Prinzhorn Mar 21 '14 at 11:23
  • I'm adamant I recall a reasonably high-profile occurance of something similar a few years ago - a webmail service, perhaps hotmail or the ilk. I can't find any reference to it from a cursory google, though. I seem to recall the attacker simply registered an 'admin-sounding' username - "postmaster@hotmail.com" or something - and simply got an SSL cert emailed to it. – randomdude Mar 21 '14 at 12:44
  • As an aside, just an email address is enough to get a _client_ SSL certificate, but it will be for that specific address, not the domain. – armb Mar 21 '14 at 14:46
  • 1
    [How can I prevent that my users get a certificate issued for my domain on my behalf?](http://security.stackexchange.com/q/53408/12139) – unor Mar 21 '14 at 18:46

2 Answers2

22

It's not just any email address at that domain. I have a valid gmail address, but that's not enough to convince Verisign that I own gmail.com.

Instead, at the very least, you need to control one of a specific set of addresses, including the email address listed in the whois record for the domain, and also often some of the following:

  • admin@example.com
  • administrator@example.com
  • hostmaster@example.com
  • root@example.com
  • webmaster@example.com
  • postmaster@example.com

In addition to that, depending on the domain in question and often triggered an by automatic flagging system, they may require additional manual validation by an employee of the CA. If you were to try to get a certificate for microsoft.com, for example, it probably wouldn't work even if you did control one of the email addresses listed above.

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • Interesting. The email I picked was admin@mydomain.com when I registered and thus wrongly concluded it could be any domain. – Anthony Kraft Mar 21 '14 at 03:06
  • 1
    I believe they also use the Admin or Technical contact from your Whois / Domain registration information. I remember having to change my contact info when getting an SSL cert a long time ago. – Mat Carlson Mar 21 '14 at 11:13
7

The registration authority for a given certificate authority has rules that govern how they will verify the identity of a requester. Not all authorities have equal security or quality controls. The system relies upon the registration authority doing its proper due diligence, but if they are shoddy someone could get a cert issues who should not.

This is why the Extended Validation (EV) certificates were introduced. To obtain one of these certs requires a lot more background checking and due diligence giving the end user greater assurance its a legit cert. There are industry guidelines for issuing an EV cert.

For example:

9.2.1 Subject Organization Name Field

Certificate field:subject:organizationName (OID 2.5.4.10 )

Required/Optional:Required

Contents:This field MUST contain the Subject’s full legal organization name as listed in the official records of the Incorporating or Registration Agency in the Subject’s Jurisdiction of Incorporation or Registration or as otherwise verified by the CA as provided herein. A CA MAY abbreviate the organization prefixes or suffixes in the organization name, e.g., if the official record shows “Company Name Incorporated” the CA MAY include “Company Name, Inc.”

You may find this blog, Why are the Certification Authority/Browser Baseline Requirements so important?, on Symantec's site useful for this question.

Community
  • 1
Eric G
  • 9,691
  • 4
  • 31
  • 58