14 DAY TRIAL // Security researcher Osama Almanna has discovered a domain validation flaw for the StartSSL certificate authority (CA) that would allow someone to receive SSL certificates for any domain they wanted.
StartSSL is a Web service owned by Israeli-based StartCom, which enables webmasters to request valid SSL certificates for their domains, recognized in all the major browsers.
To prevent abuse, like hackers asking for certificates for sites they don't own, CAs force each user to go through a validation process that verifies they are the actual owner of the domain.
Flaw was in the email-based user verification process
There are several ways this can be done. The most common procedure employed by the vast majority of CAs is to have the user place a certain file on the domain's server root.
But there's another way. Users can request an email sent to their main domain, which includes a validation code. StartSSL also employs this procedure and uses three standard email addresses where this validation email is sent automatically. These are [email protected], [email protected], and webmaster@@domain.com.
Almanna discovered that, in the Web form where the user decides to which of these addresses to send the validation code, a skilled attacker could capture the HTTP request sent to the server and modify the included parameters.
Attackers could request SSL certificates for any domain name
One of those parameters is the destination email address, which they could replace with their own. This meant that Almanna could request a valid SSL certificate for google.com or facebook.com and have StartSSL send the validation email to his personal Hotmail inbox.
Crooks could abuse this loophole to issue SSL certificates for banking portals and then use them in their phishing campaigns.
Almanna says that he notified StartSSL, who fixed the flaw on the same day. This is the same technique used by the ComodoHacker, who issued tens of thousands of SSL certificates for domains around the globe. He then abused a similar flaw in the Diginotar CA, which had to file for bankruptcy because of the damage done to its reputation by this incident.
