Recently, security experts have found a serious hole in the domain verification, which was discovered in the StartSSL. The detected vulnerability allows anyone to issue SSL-certificates for any domain without confirming ownership.
StartSSL – a web-based service that allows webmasters and site owners to receive valid SSL-certificates for their domains, recognized by all the major browsers. Service belongs to the Israeli company StartCom.
To prevent abuse, the service requires each user to go through the process of verifying domain ownership, in order to prevent hackers from issuing certificates for their sites.
Verification is carried out in different ways; the most common practice is to locate a particular file in the server’s root domain.
The vulnerability was found in the user verification by email, which takes place in the StartSSL. In this process, the user get an email with a validation code on specific e-mail addresses associated with the domain: firstname.lastname@example.org, email@example.com and firstname.lastname@example.org.
In a form that lets choose the mailing address to send a validation code, the attacker can intercept HTTP-request, which went to the server, and change the settings.
Email-address, which is one of the parameters, can be easily changed to any other address. This means that anyone can get the SSL-certificate for any site, and validation code would come in their mail.
This loophole could be exploited repeatedly to issuance of SSL-certificate for banks and used it in phishing campaigns.
The hole was fixed by StartSSL on the same day when it was opened. A serious problem was quickly prevented. However, many services can potentially contain such holes. Phishing is not asleep.