StartSSL faces another issue that lets attackers obtains SSL certificates for domains they don't own

Jul 4, 2016 23:40 GMT  ·  By

Thijs Alkemade, a security researcher for Dutch security firm CompuTest, has discovered multiple design and implementation flaws in StartEncrypt, a tool created by Israeli company StartCom for issuing free SSL certificates.

StartCom, the CA (Certificate Authority) behind the StartSSL service, launched the StartEncrypt project on June 4, inspired by the success of the Let's Encrypt project.

Users who want to deploy free StartSSL certificates can take advantage of their StartEncrypt offering. They only need to download a Linux client they're supposed to upload to their servers.

This client performs a domain validation process, informs the StartSSL service, which then issues and installs an "Extended Validation" SSL certificate for the domain it has found running on the server it has just checked.

StartEncrypt contains design and implementation flaws

According to CompuTest, this validation process is flawed, and through a few tricks, it allows server owners to receive SSL certificates issued for other domains, such as Facebook, Google, Dropbox, etc., which can be sold on the black market or used in man-in-the-middle attacks.

The first issue Alkemade discovered in the StartEncrypt client was a design-related problem linked to the fact that users could manually configure the folder from where the client would download a signature from the server.

An attacker would only have to point the tool to a folder on their server holding the signature of another domain. These domain signatures can be extracted from any sites that allow users to upload files: GitHub, Dropbox, etc..

StartEncrypt bug combined with OAuth 2.0 protocol condition

The second issue is far more serious because it enabled an attacker to obtain SSL certificates for even more domains than the ones before.

According to the researcher, one of the API verification calls contains a parameter dubbed "verifyRes," which takes a URL as input. This means the client was exposed to Open Redirect vulnerabilities. In other words, an attacker could forge this request and point the tool off-domain to a server not under their control.

But this feature is not that easily exploitable. The domain URL to which the attacker needs to point the tool must (1) allow users to upload files and serve them back in raw format; or (2) to contain an Open Redirect issue of its own.

While the first condition was quite rare, the second was not. All websites that support OAuth 2.0, a specification that powers social login features, must allow open redirects for the protocol to function properly.

A crook leveraging this OAuth 2.0 condition and the StartEncrypt client could fool the StartSSL service into issuing a free SSL service in their name for any site that provides OAuth 2.0 support, such as Facebook, Twitter, Yahoo, Microsoft, and so on.

Multiple other issues discovered as well

Additionally, CompuTest also found that StartEncrypt doesn't check its own server's certificate for validity when connecting to the API, meaning crooks could receive verification requests and issue false SSL certificates for users trying to use StartEncrypt.

The API also doesn't check the content type of the file it downloads for verification, so attackers can obtain certificates in the name of third-party websites where users can upload their avatars. At the same time, the certificate private key, which must be private, is stored with 0666 permissions in a public folder, so everyone could read it.

Furthermore, just like Let's Encrypt, StartEncrypt is vulnerable to a Duplicate-Signature Key Selection attack.

"In our opinion, StartCom made a mistake by publishing StartEncrypt the way it is," CompuTest's Christiaan Ottow explains. "Although they appreciated the issues for the impact they had and were swift in their response, it is apparent that too little attention was paid to security both in design (allowing the user to specify the path) and implementation (for instance in following redirects, static linking against a vulnerable library, and so on). Furthermore, they didn’t learn from the issues LetsEncrypt faced when in beta."

StartCom has released a new version of the StartEncrypt Linux client, with the same version number 1.0.0.1. CompuTest says they reported other issues to the service, which are still being corrected and will be fixed in future updates.

Back in March, StartSSL faced a similar issue with its general service, which also allowed crooks to receive SSL certificates for domains they didn't own.