SSL vendor practices

changlinnchanglinn MemberMember Posts: 42 ■■■□□□□□□□
Hi Everyone, Not going to name names, but I have recently witnessed a client who has registered a few SSL certs to subdomains for a domain they do not own. I thought this was against the practice of registrars, can someone point me to any code of conduct on this kind of thing.

Seems very dodgy if this high level registrar is allowing this what else are they allowing, what is the point of SSL if they are going to do this. Should I report it to their internal support, or is there someone higher I can go to?
A+, C|EH, CISSP, CISM, CRISC, GSTRT, MCSA:Messaging, MCSE:Security
"Brain does not meet certification requirements, please install more certifications" Me
Currently Studying: Cyber Security masters and ISC2 CCSP.
Security blog; http://security.morganstorey.com

Comments

  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Which CA did they register with?
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • changlinnchanglinn Member Member Posts: 42 ■■■□□□□□□□
    Can't really name names, but a big one. They aren't my employer and I have no relationship with them, I just prefer if it is confirmed against a code of conduct to disclose it to them first to have a chance to fix it.
    A+, C|EH, CISSP, CISM, CRISC, GSTRT, MCSA:Messaging, MCSE:Security
    "Brain does not meet certification requirements, please install more certifications" Me
    Currently Studying: Cyber Security masters and ISC2 CCSP.
    Security blog; http://security.morganstorey.com
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    For general certificate signing requests, the administrative contact of the domain is contacted as a "verification step" to ensure that only the authorized agents can request a certificate. This is done via e-mail. It sounds lame (and it is) but in most cases that's how it's done. If you go with higher cert "levels" (such as "extended validation") there's supposed to be more thorough checking to ensure the identity of the organization and the requester is indeed who they claim to be.

    I would think it's generally against policy for anyone to try and get issued a cert for a domain they're not responsible for, much like trying to apply for a driver's license using a fake name.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • ZartanasaurusZartanasaurus Member Posts: 2,008 ■■■■■■■■■□
    I've heard GoDaddy is pretty bad about this sort of thing.
    Currently reading:
    IPSec VPN Design 44%
    Mastering VMWare vSphere 5​ 42.8%
  • jibbajabbajibbajabba Member Posts: 4,317 ■■■■■■■■□□
    I registered a few SSLs myself and while Verisign and Thawte were painfully detailed when it came to confirm mine and the companies details, some others (actually forgot the name) simply supplied the cert after paying for it.

    Having said all that - what's the point / worry ? If you do have a certificate, you need to install it on the loadbalancer / firewall / webserver. So even if someone buys a certificate of a domain (or subdomain) he doesn't own, there isn't much he can do unless he has access to the infrastructure, and installing it on another domain would cause cert errors which I am sure is as useful as self signed certs.

    Or am I missing something obvious ?
    My own knowledge base made public: http://open902.com :p
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    All that would be left for an attacker to pull off a seamless attack would be a MITM via DNS, etc., which really isn't that hard in many public environments.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
Sign In or Register to comment.