Why are domain-validated certificates dangerous?A domain-validated or a low-authentication (1-factor) product is a server certificate delivered quickly and without real vetting. It does not guarantee the identity of the website's owner nor the actual existence of the organization!
This kind of certificate enables SSL encryption but makes it impossible for webusers to know the identity of their interlocutor (think about 2 men having a conversation inside an unlightened vault. Nobody can hear them so their conversation is secured but they can not see the person they are speaking with!)
Certification authorities that issue these certificates only check one thing: that the owner of the domain name, as displayed in the WHOIS , is the requester of the certificate. Mostly they send an email carrying a password to the email address found in the WHOIS and wait for a return via a web interface. They can also dial the phone number provided in the WHOIS to ask for a confirmation.
This procedure is easily hijacked. Firstly because the information provided by the WHOIS is purely declaratory and is never checked by the registrar. Then because registrars can modify the information as they please. Needless to say that anybody can reserve a domain name similar to an existing one and get a certificate for it.
It makes phishing attacks possible. Let's imagine your bank's website is https://www.creditbank.com/ and that the latter is secured with a domain-validated certificate. Its certificate will present the information:
CN = www.creditbank.com OU = Domain Validated O = www.creditbank.comA hacker wanting to attack this bank will reserve a similar domain name, such as www.credltbank.com, will provide false information in the WHOIS, such as a Yahoo! email address and a VoIP phone number. In a matter of minutes he will obtain a SSL certificate with the information:
CN = www.credltbank.com OU = Domain Validated O = www.credltbank.comFinally he will create a fake website hosted on a hijacked server and launch his phishing operation.
The common webuser will be totaly fooled, connecting to a website looking alike the genuine one and with a valid SSL certificate!
It sounds familiar, isn't it?
Then one advise: Do not use low-authentication certificates.
Some certificates can provide strong authentication and low price, from £53, see our TBS X509 certificates.
NOTA: we recently witnessed, through hackings of domain registration offices, that domain-validated certificates did not offer any protection whatsoever. The hacker having the control of the domain, can then obtain a real domain-validated certificate (sometimes supplied by the very registration office he'd just hacked!). When it comes to security matters, put all your eggs in the same basket (domain and certificate issued on the domain basis only), is really risky.
How to spot a domain-validated certificateJust display the server certificate. To do so, double click the golden padlock.
You'll see: 'Delivered to' or 'Organization' but there will be no organization name, just a domain name!
In the 'Details' tab click 'object' or 'Subject'. You'll see an 'OU' field indicating 'Domain Validated' or some similar content.
Note as well that the city does not appear nor the owner address!
It means that it does not exist any information about the certificate owner.
Would you buy to a seller whom visit card won't hold any organization name nor city?
Below are some links to security incidents due to domain validated certificates:
- 2015-03-19 - When Comodo is fooled by an Outlook.com alias
Here, it is a MD5 vulnerability that proves the dangerousness of 1-factor certificates:
In December 2008, a survey from Netcraft showed that 95% of the certificates using MD-5 were 1-factor ones (mostly FreeSSL, RapidSSL and Thawte 123 certificates)!
Last edited on 03/20/2015 09:16:55 --- [search]