Thursday, 7 July 2011

EFF Reveals More Bad Digital Certificate Signing Practices

The Electronic Frontier Foundation warns that certification authorities (CAs) have signed tens of thousands of digital certificates for unqualified names, some of which even passed extended validation.

The EFF, one of the leading digital rights watchdogs, has reached this conclusion after analyzing data from its SSL Observatory project that looks for weaknesses in the public key infrastructure (PKI).Digital SSL Certificates are used to establish encrypted connections and trust on the Internet, which makes them a vital part of its security.

It's, therefore, no wonder that a recent security incident where a hacker managed to obtain rogue certificates for high-profile domains like,, and others from Comodo has put the practices of certification authorities under the microscope.

The EFF warns that aside from hardcoding usernames and passwords in tools used by resellers and failing to perform proper checks for certificate requests received from them, CAs also sign unqualified names.

In practice, there should be a single certificate per domain or subdomain. However, it turns out that some CAs have signed certificates for names like "exchange", "mail" or "wiki," which cannot be accessed over the Internet and are sometimes used on local networks.

"In fact, the most common unqualified name is 'localhost,' which always refers to your own computer! It simply makes no sense for a public CA to sign a certificate for this private name," writes Chris Palmer, EFF's technology director.

Another name for which there are thousands of valid certificates in existence is "exchange" and variations of it, like "exchange01", "exchange02" etc. But not only have CAs signed certificates for unqualified names, many of them signed multiple ones for the same host.

In total, the EFF has counted 37,244 valid certificates that shouldn't exist. A separate investigation performed in January uncovered 10 EV certificates of the same type.

This represents a very serious abuse of trust, because EV SSL stands for extended validation and these certificates are supposed to be issued after extensive identity checks.

The main concern is that if any of these certs falls in the hands of attackers, they can be used to impersonate mail and other types of servers on networks that uses those names internally.

Source URL:-News.Softpedia.Com

1 comment:

digital signature said...

I agree with you on the point that SSL Certificates are used to establish encrypted connections and trust on the Internet which makes them a vital part of its security.EFF is right in taking major steps and in warnings that it gave as security is the major concern in all this.

Post a Comment