Slapdash SSL certification a risk

Internet certification authorities (CAs) are not making enough of an effort to validate the websites they vouch for, according to a security expert at the Electronic Frontier Foundation.

Certification companies, such as VeriSign and Comodo, provide the SSL verification that tells your browser that the sites you visit – from banks to retailers – are genuine.

An attack last month against Comodo let a hacker issue fake certificates for Gmail, Hotmail and Skype, and, according to the EFF, certification providers are playing fast and loose with one of the most fundamental security tools used on the web.

“If CAs don’t validate the identities of the sites they vouch for, the whole system breaks down,” said technical analyst Chris Palmer in an EFF blog post.

"Using data in EFF's SSL Observatory, we have been able to quantify the extent to which CAs engage in the insecure practice of signing certificates for unqualified names," said Palmer, who found more than 37,000 example of such names.

"That they do so in large numbers indicates that they do not even minimally validate the certificates they sign."

Palmer said the lack of attention to detail “significantly undermines CAs’ claim to be trustworthy authorities for internet names and puts internet users at increased risk of network attack”.

According to Palmer, CAs should only sign fully-qualified public names such as www.pcpro.co.uk or www.eff.org. Non-unique names, such as "localhost", "mail" or "webmail", should not be given certificates because they pose a security risk.

“CAs create real risk when they sign other unqualified names,” Palmer said. “What if an attacker were able to receive a CA-signed certificate for names like 'mail' or 'webmail'? They would be able to perfectly forge the identity of your organisation’s webmail server in a 'man-in-the-middle' attack."

This article originally appeared at pcpro.co.uk