[159209] in North American Network Operators' Group
Re: Gmail and SSL
daemon@ATHENA.MIT.EDU (Jimmy Hess)
Sun Dec 30 23:26:46 2012
In-Reply-To: <20121231034645.11439.qmail@joyce.lan>
Date: Sun, 30 Dec 2012 22:26:36 -0600
From: Jimmy Hess <mysidia@gmail.com>
To: John Levine <johnl@iecc.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 12/30/12, John Levine <johnl@iecc.com> wrote:
> Do you ever buy SSL certificates? For cheap certificates ($9
> Geotrust, $8 Comodo, free Startcom, all accepted by Gmail), the
> entirety of the identity validation is to send an email message to an
> address associated with the domain, typically one of the WHOIS
> addresses, or hostmaster@domain, and look for a click on an embedded
These CA's will normally require interactions be done through a web
site, there will often be captchas or other methods involved in
applying for a certificate that are difficult to automate.
They require payment, which requires a credit card, and obtaining a
massive number of certificates is not a practical thing for malware to
perform, unless they also possess a mass amount of stolen credit
cards, and stolen WHOIS e-mail address contacts; on the other hand,
self-signed certificates can be generated on the fly by malware, using
a simple command or series of CryptoAPI calls.
I am aware of the procedure the CAs follow, and I am well aware that
there are significant theoretical weaknesses inherent to the
procedures that are followed to authenticate such "Turbo", "Domain
auth" based SSL certificates. (They use an unencrypted e-mail
message to send the equivalent of a PIN number, for getting a
certificate signed, in reliance of WHOIS information downloaded over
unencrypted connection: WHOIS data may be tampered with, a MITM may
be used to alter WHOIS response in transit to the CA --- the PIN
number in confirmation e-mail can be sniffed in transit, or the
contact e-mail address may be hosted by a 3rd party insecure service
provider and/or no longer belong to the authorized contact).
All of these practices have considerable risks, and the risk that
_some_ fraudulent requests are approved is signicant.
The very e-mail server the certificate is to be issued to, might be
the one that receives the e-mail, and a passive sniffer there may
capture the PIN required to authorize the certificate.
However, the procedures required to exploit these weaknesses are
slightly more complicated than simply producing a self-signed
certificate on the fly for man in the middle use -- they require
planning, a waiting period, because CAs do not typically issue
immediately.
And the use of credit card numbers; either legitimate ones, which
provide a trail to trace the attacker, or stolen ones, which is a
requirement, that reduces the possible size of an attack (since a
worm, or other malware infection, won't have an infinite supply of
those to apply for certificates).
But "Does the CA's signature actually represent a guaranteed
authentication" wasn't the question.
The only question is... Does it provide an assurance that is at all
stronger than a self-signed certificate that can be made on the fly?
And it does... not a strong one, but a slightly stronger one.
> mail sent from that server. That doesn't sound like "authentication
> of server identity" to me.
>
> R's,
> John
--
-JH
