Comodo issued an SSL certificate for live.fi. The issue is the certificate requester did not own or control the live.fi domain, which is owned by Microsoft. Was this Comodo’s fault? Let’s discuss.
Since 2012, the certification authorities (CAs) which issue public trust SSL certificates must follow the domain verification methods in the CA/Browser Forum Baseline Requirements (BRs).
The BRs provide methods for organization validation (OV) and domain validation (DV). With OV, the certificate has the identity of the subscriber within the certificate. Validation of the identity requires the CA to contact the subscriber to fulfill verification.
With DV SSL, the verification can be done automatically as only control or ownership of the domain is performed. One method to perform DV verification of live.fi is to request the certificate applicant to specify and respond to an email address which they control.
Let’s step back a little bit. The attack we are talking about has been performed before in 2009. It was done to the RapidSSL CA where they provided fourteen email addresses for the subscriber to choose from. In this case the attack was also done against another Microsoft domain login.live.com where the subscriber registered [email protected], then requested the certificate using the email address they controlled. This created a security furor to limit the email addresses.
RFC 2142 was reviewed where ‘webmaster’, ‘hostmaster’, or ‘postmaster’ were determined. Also suggested were ‘admin’ and ‘administrator’. Email addresses starting with these names were specified in the BRs. But what goes around comes around and the attack was performed again on live.fi, but now with one of the limited email addresses.
For the most part enterprises won’t issue email addresses to attackers. In some cases an enterprise will issue email addresses to contractors and partners. The real issue is with an email service provider which issues email addresses to third parties. How do we get these service providers to protect the right email addresses?
As an SSL best practice, we suggest that you control your email addresses. You should have a naming policy, but it is also suggested that you assign or reserve email addresses starting with ‘admin’, ‘administrator’, ‘webmaster’, ‘hostmaster’, or ‘postmaster’.