SSL domain authentication needs improvement
Should we really be taking the domain owner’s word for it?
Blogmaster Note: This was originally posted on January 27, 2012 to ComputerWorld UK’s Security Spotlight Blog.
In her Dark Reading article, “Is SSL Cert Holder ID Verification a Joke?“, Ericka Chickowski discusses if certificate authorities do enough identity checking for Domain Validated (DV) certificates. I am myself perhaps notorious for writing that it’s not a joke, it’s a farce.
Domain Validated certificates are issued typically with the same vetting that you’d use to subscribe to an email list — a simple response to an email is good enough. Sometimes an email response is just fine; for example, a certificate for S/MIME email would hardly need more than proving you own the email address. But for an SSL certificate, this is barely better than just taking the applicant’s word for it.
I think Chet Wisniewski of Sophos has it pretty much correct when he says, “…the fact that they say they validate who [the certificate holders] say they are, it’s just horse manure”. If it were up to me, I’d solve the issue by not having the browser light the lock for a DV certificate.
Entrust doesn’t issue Domain Validated certificates at all. We issue only the more rigorous Organization Validated certificates and Extended Validation certificates (a.k.a. Green Bar certificates). Entrust vets the identity and ownership of the domain against a variety of databases before issuing a certificate for a domain. I got Entrust certificates for my personal domains, and there was an impressive check I had to go through.
There is even more checking done for EV certs. Not only is there a more rigorous check, but the CA has to have better operations. For example, if revocation checks don’t come back with an affirmative in just a couple seconds, the browser does not light the green bar (or at least is not supposed to, I’m not going to claim that every browser is bug-free).
The domain itself also needs to make sure that it protects all content, or again, the browser downgrades the connection. This is the only place I’d disagree with the article. If there are these sorts of setup problems on an EV-protected site, the browser drops the EV signals. There’s a lot of variation in how different browsers handle the different edge conditions — I’ve been testing them myself, and those variations will make a great blog post.
Nonetheless, the basic thrust of the article is spot on. DV certs are barely worth the bits they’re written with, and we would all be better off if they didn’t give an indication of trust in the browser (the lock) when there’s no real vetting done.