Is it "trivially easy" to get a cert for a domain you don't own?

Betanews just published a story about a security researcher who claims that it is "trivially easy" to get an SSL certificate for a domain you don't own, thereby claiming that certificate authorities are useless.

Is this true? Hardly. His claim comes from one particular situation: Knowing that some SSL providers issue low assurance, domain-validated certificates by simply sending an email to an address on the domain that is normally used by an administrator such as administrator@domain.com, ssladmin@domain.com, and postmaster@domain.com, Kurt Seifried suggests going to a free webmail service and registering that email address so you can approve a certificate free and clear.

Ok. That works. If you can find a webmail service that is careless enough to allow administrative email addresses to be registered, then it is "trivially easy" to get a domain validated certificate for their domain. What about getting a certificate for a domain that would be useful to phish on like www.bankofamerica.com or www.ebay.com? Nope. Just free webmail domains. Not so impressive.

But it does highlight a problem with domain-validated certificates: they're too easy to get. There are other methods of getting to administrative email addresses on a useful domain (say bankofamerica.com) such as doing a DNS attack to route the email that the SSL provider sends to your email server instead of Bank of America's email servers. This would be very difficult to pull off unless another DNS vulnerability is discovered though.

So what is the solution. It is not a panacea but EV SSL certificates go a long way toward solving this problem. The Bank of America uses an EV certificate on their site. Getting an EV certificate requires out-of-band communication that verifies that the certificate is being requested by an authorized representative of the company. So, even if an attacker can somehow get a domain-validated certificate for www.bankofamerica.com and execute a man-in-the-middle attack, most visitors will notice that the address bar is no longer green and know that there is a problem.

Many people are skeptical that visitors notice any difference between an EV certificate and a domain-validated certificate. Maybe that's true. But it is an education problem. The infrastructure to minimize man-in-the-middle attacks is available. And it is "trivially easy" to see that there is a problem with Kurt's claim.

Originally posted on Thu Apr 1, 2010