
'Trivially easy' to buy SSL certificate for domain you don't own - billpg
http://www.betanews.com/article/Security-researcher-Trivially-easy-to-buy-SSL-certificate-for-domain-you-dont-own/1270072287
======
patio11
I have always thought that the key achievement of SSL was marketing.
Specifically, while data can be sniffed off the wire on http connections, this
was not a very practical attack until wireless started becoming popular.
Compromising clients, servers or phishing were easier and more lucrative.
_However_ , people had generalized feelings of insecurity on conducting
business over the Internet ("But what if hackers get my credit card with their
magic super powers!?"), and SSL was a _great_ solution to that: it is white
magic which totally neutralizes the black magic. Take that, hackers -- the
Internet is now open for business. And for phishing and insecure passwords and
compromised servers but, hey, _none of those things scare people away_ from
typing in their credit card numbers.

So to the extent that the white magic doesn't actually work, well, it doesn't
really _need_ to work. It just needs to be, to quote the most common
description, As Good As What Your Bank Uses.

~~~
tptacek
Sniffing data off the Internet backbone was so practical that there are well-
known cases of it actually happening to backbone providers. In one famous
case, someone managed to hook solsniff.c up to Sprintnet's core.

~~~
count
I no longer worry about the backbone sniffers - that's like drinking from a
firehouse the size of 3 Gorges Dam. You can't surreptitiously consume that
much I/O.

I'm much more concerned about small targeted stuff in data centers and colo
cages, sniffing just a few backend servers, behind the SSL terminator. Or, you
know, just 'select * from creditcardinfo';...

------
mike-cardwell
Yet another reason why the CA system is inherently untrustworthy and something
like this should be adopted instead:
<https://secure.grepular.com/DNSSEC_Will_Kill_Commercial_CAs>

~~~
Mark_B
HEY! I just noticed your comment is id 1234567. CONGRATULATIONS!!

~~~
lurkinggrue
Amazing! That's the combination on my luggage.

------
pilif
That reminds me: I'd like to purchase a SSL certificate for my domain please.
The domain is gmail.com and to prove that it's mine, please send the
confirmation to xxxx@gmail.com

Thanks in advance!

In the end though, most phishing attacks still use non-secured connections or
they purchase one of these domain validation only certificates for
evildomain.org and then use the usual tricks like paypal.com.evildomain.org or
whatever.

This would even work with EV certificates, helping the phishers to gain that
green address bar said to be unachievable for them.

SSL only proves identity. It can't say anything about malicious intents.

~~~
mike-cardwell
They tend to have a list of addresses that the certificate can be sent to, eg:

postmaster@domain webmaster@domain ssladmin@domain

If you can get access to ssladmin@gmail.com, then you can probably register an
SSL cert for gmail.com.

~~~
gus_massa
The problem is that if each CA makes its own list, it is very difficult to
make a secure web mail service and I hope that no _Susan Sladmin_ is working
at your organization. If I want to make a Mailinator clone, which address
should I reserve?

(For example webmaster@mailinator.com is working.
<http://www.mailinator.com/maildir.jsp?email=webmaster>)

~~~
mike-cardwell
Yes. There are hundreds of CA's and they all work differently. It's a security
nightmare.

------
UmYeah
April fools? Please.

The saddest part of this is that companies are spending thousands of dollars
on these certificates without any knowledge of how it works. But hey, that
lock on the address bar sure makes me feel secure.

~~~
sp332
That's how they are marketed, after all. Not by everyone, but check out the
"features" on GoDaddy's SSL cert page: <http://www.godaddy.com/ssl/ssl-
certificates.aspx?ci=8979> "Bigger, more colorful icons! Yay!"

~~~
qeorge
For better or for worse, big lock icons and green toolbars do help
conversions.

------
jluxenberg
Once you have a SSL cert for a domain you don't own, to use it you'd need to
be able to host content on a domain you don't own. Surely this makes this kind
of attack less viable?

~~~
swolchok
With such a cert, you can carry out a man in the middle attack without
triggering SSL warnings (in the typical usage model for SSL), because you have
a valid cert.

