Recently, security experts have found a serious hole in the domain verification, which was discovered in the StartSSL. The detected vulnerability allows anyone to issue SSL-certificates for any domain without confirming ownership.
StartSSL – a web-based service that allows webmasters and site owners to receive valid SSL-certificates for their domains, recognized by all the major browsers. Service belongs to the Israeli company StartCom.
To prevent abuse, the service requires each user to go through the process of verifying domain ownership, in order to prevent hackers from issuing certificates for their sites.
Verification is carried out in different ways; the most common practice is to locate a particular file in the server’s root domain.
The vulnerability was found in the user verification by email, which takes place in the StartSSL. In this process, the user get an email with a validation code on specific e-mail addresses associated with the domain: email@example.com, firstname.lastname@example.org and email@example.com.
In a form that lets choose the mailing address to send a validation code, the attacker can intercept HTTP-request, which went to the server, and change the settings.
Email-address, which is one of the parameters, can be easily changed to any other address. This means that anyone can get the SSL-certificate for any site, and validation code would come in their mail.
This loophole could be exploited repeatedly to issuance of SSL-certificate for banks and used it in phishing campaigns.
The hole was fixed by StartSSL on the same day when it was opened. A serious problem was quickly prevented. However, many services can potentially contain such holes. Phishing is not asleep.
Do you need SSL certificates? The store of certificates entrusted by years and millions of visitors — LeaderSSL. Buy a certificate from a trusted brand.
Hi, Neat post. There’s a problem with your web site in internet explorer, would check this¡ IE still is the market leader and a good portion of people will miss your fantastic writing due to this problem.
Its all ok with site. We checked it and dont see any errors.
I will right away graspyour rss feed as I can’t to find your email subscription link or e-newsletter service. Do you have any?Please allow me recognize so that I may just subscribe. Thanks.
We dont have right now this option. We trying to make it in the near future. Thx for asking.