MalwareTips.com
/
Daily News & Tips
/
News Section
/
News Archive 
/
EFF uncovers further evidence of SSL CA bad behavior
/
EFF uncovers further evidence of SSL CA bad behavior
|
EFF uncovers further evidence of SSL CA bad behavior
|
|
04-07-2011, 11:17 AM
 Post: #1 |
|||
|
|||
|
EFF uncovers further evidence of SSL CA bad behavior
In the wake of the Comodo SSL Certificate Authority (CA) having been compromised by an Iranian hacker the Electronic Frontier Foundation published more evidence of problems in the SSL signing industry.
While many were critical of Comodo's hard coding passwords into public facing code and using their root certificate to sign certificates, now there is more evidence of industry-wide lax practices. Chris Palmer wrote a blog on Tuesday outlining work the EFF had done analyzing the quantity of certificates that were signed and trusted by all of our browsers that were technically invalid and could be used for fraud. The particular practice the EFF was looking for was the signing of certificates that did not contain fully-qualified domain names. To obtain verification of your identity for the CA to sign a certificate, the certificate must contain something that globally only you could be identified by. If I try to get a certificate for just plain www, I should be rejected. Yet if I try to purchase secure.sophos.com, you could verify that I am allowed to represent Sophos, and that this certificate would not be valid for any other organization. So what did the EFF find? They found that certificate authorities have signed over 37,000 certificates that are not specific to any organization, they contain only a hostname. The worst offender was GoDaddy.com. Each and every one of these could be used to impersonate some local server on your intranet by an intruder... Wait! It gets worse.. 28 Extended Validation certificates were issued in this manner.. 10 of which are still valid. What is Extended Validation? Wikipedia states three specific conditions must be met: 1. Establish the legal identity as well as the operational and physical presence of website owner. 2. Establish that the applicant is the domain name owner or has exclusive control over the domain name. 3. Confirm the identity and authority of the individuals acting for the website owner, and that documents pertaining to legal obligations are signed by an authorised officer. More details - link |
|||
|
|||
|
« Next Oldest | Next Newest »
|
| Possibly Related Threads... | |||||
| Thread: | Author | Replies: | Views: | Last Post | |
| Microsoft Shows Evidence That Internet Explorer Is Faster Than Firefox, Chrome | LawnTractor | 2 | 443 |
11-14-2012 08:54 PM Last Post: madyrocksin |
|
| US judge orders piracy trial to test IP evidence | Jack | 0 | 582 |
10-09-2012 08:16 PM Last Post: Jack |
|
| Megaupload bad boy founder gets to see FBI's extradition evidence, says NZ judge | Jack | 0 | 636 |
08-16-2012 06:23 PM Last Post: Jack |
|
| Trion Worlds customer database hacked, 'no evidence' credit card info stolen | PenTester | 0 | 533 |
12-23-2011 06:16 AM Last Post: PenTester |
|
| Anonymous and LulzSec case: UK police fly to US to gather hacking evidence | PenTester | 0 | 455 |
08-30-2011 04:54 PM Last Post: PenTester |
|
User(s) browsing this thread: 1 Guest(s)
Contact Us |
Privacy policy |
Return to Top |
Return to Content |
Lite (Archive) Mode |
RSS Syndication |
Members List |
Forum Team
MalwareTips.com is an independent website.All trademarks mentioned on this page are the property of their respective owners.