2

I bought myself a new domain this month, and found out that there is a 3-year SSL certificate valid for my domain through crt.sh, naturally I contacted Comodo SSL Abuse Dept. and got redirected to the reseller - Namecheap, after reaching out to Namecheap they insisted that as long as I issued a new certificate, the valid certificate that the former domain owner had will have no power whatsoever ( which is not true ), even after ticket escalation, they're just re-assuring me that MITM somehow will not exist as long as I set up a new SSL cert and "there is no need to worry about the security of your website and the information transmitted via Internet".

So, according to Namecheap's statement, Wosign accident is just a fraud and people obtained github.com's certificate will do absolutely no harm to Github. Good to know.

  • It sounds like you either had someone clueless on the phone or they meant that the old one would be revoked if you issued a new certificate **through them**. Either way, you should probably escalate. – Ryan Bolger Jun 01 '18 at 03:23
  • The sad thing is, I have already escalated the case and this is their "one of the SSL Shift Leaders" giving me the final answer. –  Jun 01 '18 at 03:51
  • I did not wanted to post the whole conversation here unless I had to, but they clearly know what I mean and their opinion is as long as I had a new certificate, the valid certificate held by others won't do any harm, which is so ridiculous. –  Jun 01 '18 at 03:53
  • Yeah, that's pretty bad. – Ryan Bolger Jun 01 '18 at 04:46
  • While I completely agree with you that they are utterly wrong, I don't see any actual question in your question - much less one that can be answered in the context of this particular site. (Though you might want to look into a CAA record in DNS.) – Jenny D Jun 01 '18 at 07:59
  • CAA record won’t help here as certificate is already issued. HPKP could help but is crazily risky in my opinion and I really don’t think anyone most sites should use it. – Barry Pollard Jun 01 '18 at 10:31
  • CAA and HPKP are exactly the things that Namecheap told me to do and I have told them exactly why not, as @BarryPollard mentioned. I think I'm not trying to ask any specific question, although I do want to know if this is totally fine with today‘s SSL industry practices, that somehow CA CPS does not include such thing? But more I want to raise attention to this horrible thing that Namecheap, or even Comodo is doing here. –  Jun 01 '18 at 12:06
  • If browsers were observing TLSA records from the DANE standard you would not have this problem, as you would be able to specify in the DNS which certificate or certificate authority you trust. What you describe also shows the difference between OV and DV certificate and is also a reason why Let's Encrypt certficates are so shortlived. – Patrick Mevzek Jun 02 '18 at 18:27

1 Answers1

3

Yes, it is (a reason for certificate revocation)

See CAB Forum Baseline Requirements at https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.5.7-29-Apr-2018.pdf and specifically its section 4.9.1.1. Reasons for Revoking a Subscriber Certificate that has this specific point:

The CA SHALL revoke a Certificate within 24 hours if one or more of the following occurs:

...

  1. The CA is made aware of any circumstance indicating that use of a Fully-Qualified Domain Name or IP address in the Certificate is no longer legally permitted (e.g. a court or arbitrator has revoked a Domain Name Registrant’s right to use the Domain Name, a relevant licensing or services agreement between the Domain Name Registrant and the Applicant has terminated, or the Domain Name Registrant has failed to renew the Domain Name);

the Domain Name Registrant has failed to renew the Domain Name and hence it may have been registered by someone else, so my reading of this document that each CA must follow means that the initial certificate should be revoked.

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42
  • To add to this correct answer. 1) Send a certified letter in writing to the CA documenting your position and the facts. 2) Namecheap has a gui to revoke certificates - you may have to figure out the login name and then do a password reset since you control the domain now. 3) Unless the old owner can direct DNS traffic to their website using your domain name, their certificate won't work without browsers displaying an error. 4) Switch CA to one that understands security end-to-end and enforces it. – John Hanley Jun 11 '18 at 03:05
  • @JohnHanley I agree with you,but it would be very hard or basically impossible for a CA to proactively discover names that either changed registrant or were deleted+created (that second case is easier). Which means basically they should act only when someone signals that to them, but then it means for the same set of domains different behaviors depending on if someone signals the problem or not. It just shows to me that the current Web PKI is doomed the way it works today and that DV certificate are kind of a joke. The only solution CA have for this is to reduce the typical length of validity. – Patrick Mevzek Jun 02 '20 at 22:07
  • if the conditions are all the same, the same server, the same IP, the same post address and just the name of the owner of the IP changed I see no reason for revocation. – Max Muster Jun 16 '20 at 20:21
  • @MaxMuster You can get certificates issued with a DNS verification... that says nothing about which server (IP, etc.) will be used later on with this certificate, hence the CA has no way to validate anything. "Name of the owner of the IP"? Yeah right you will find the hosting provider name on the IP block, how does that prevent a given IP going to be used by customer A and then customer B? Not even taking into account mass HTTPS virtual hosting... – Patrick Mevzek Jun 16 '20 at 20:39