EFF Uncovers Evidence Of Certificate Authority Apathy

  /     /     /  
Publicated : 22/11/2024   Category : security


EFF Uncovers Evidence Of Certificate Authority Apathy


Electronic Frontier Foundation research digs up 37,244 unqualified names that were given digital certificates



In yet another example of a flawed SSL website certificate registration process, researchers at the Electronic Frontier Foundation (EFF) found tens of thousands of unqualified website names that had been registered by certificate authorities.
The EFF via its
SL Observatory project
, which studies all of the certificates used to secure all HTTPS websites, discovered some 37,244 unqualified names that had been given digital certificates, including localhost (2,201 certificates), exchange (806), exchange in the name (2,383), and 01srvech (5,657).
The recent hack of a Comodo SSL reseller and the subsequent issuance of nine website certificates for fraudulent sites was a painful wake-up call for a process that
security researchers had long been warning was deeply flawed
and ripe for exploitation.
Comodos model of letting resellers freely issue certificates on their own, without Comodos validation, was at the heart of the hack, security experts say.
The EFF research highlights how CAs routinely sign certificates for unqualified website names. That they do so in large numbers indicates that they do not even minimally validate the certificates they sign. This significantly undermines CAs’ claim to be trustworthy authorities for internet names. It also puts internet users at increased risk of network attack,
blogged
Chris Palmer, technology director at the EFF.
Signing website certificates registering as localhost indicates that CAs arent vetting these submissions. The most common unqualified name is localhost, which always refers to your own computer! It simply makes no sense for a public CA to sign a certificate for this private name, Palmer said.
This lax process leaves the door open for attackers to wage man-in-the-middle attacks, he said. The bad behavior of CAs helps attackers, he said.
The EFF called for CAs to stop signing unqualified name submissions and to revoke certificates that were issued for any unqualified names. They should also stop signing IP addresses -- especially private, nonroutable addresses -- and should revoke existing IP address certificates, too, EFFs Palmer said.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
EFF Uncovers Evidence Of Certificate Authority Apathy