Some CA use the following protocol for certificates: - A form ask for a CSR, your contact details (ex. YourName contact@yourdomain ) and the contact details of the person that can validate the website ownership (ex. admin@yourdomain), the email constrained by (admin|administrator|hostmaster|webmaster|postmaster)@yourdomain or the WHOIS contact infos.
- An email is sent to admin@yourdomain (for example) with the code to validate the certificate: > YourName contact@yourdomain asked a certificate > Please use the following code [secret to validate the certificate ] to > validate the request - Once the code is submitted (click on a link, or a file to create, a DNS entry to add, ...) an email is sent to contact@yourdomain (for example) with the certificate. I was wondering your thoughts about the following attack scenarios against bigcorp.tld : BadGuy create a CSR and fill the form with these informations: - His CSR - LegitEmployee [email protected] as contact detail - [email protected] as validator detail - (optionally, if bigcorp is lax with email security) sent an email to [email protected] with the sender spoofed as [email protected] explaining the need of a certificate What happends next: [email protected] received the email from the CA: > LegitEmployee [email protected] asked a certificate > Please use the following code [secret to validate the certificate ] to > validate the request The email is legit, what the email imply is "LegitEmployee [email protected] did the action", but the reality is "someone claiming to be LegitEmployee [email protected] did the action", the CA never have validated these contact informations. If the use behind [email protected] falls in the trap, the certificate is sent to [email protected] but could also be submitted to Certificate Transparency logs. BadGuy then has just to download it from a CT log. legit_employee@yourdomain could contact [email protected] to warn him, but if the certificate is created it's too late, as revocation is badly broken. Example of two real wording from two different CA: First one: > This order was placed by XXX whose phone number is XXX and whose email > address is XXX Second one: > Applicant Information: > Name: XXX > Email: XXX > Phone: XXX Note: these tests were done with "Free trial certificates" valid for less than 3 months. Is it a valid/plausible attack scenario? What could be improved ? - The wording of the email for the CA, to emphasis that the sender were NOT verified - Authenticate the sender as well In the long term: - defined a new CAA flag "must-staple" that require that all generated certificate must have the must-staple extension _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
