So a few months ago I decided to see how easy it was to buy an SSL certificate for a domain I didn’t own. It turns out that it was very easy because at least one large certificate authority (CA), RapidSSL (owned by Verisign) allowed a large number of email addresses to be used for verification (such as ssladministrator@, it@, etc.).
The original article is available here: http://www.linux-magazine.com/w3/issue/114/054-055_kurt.pdf. I also contacted the Mozilla/Firefox people through the mozilla.dev.security.policy mailing list to let them know about it and to show the proof (the emails from RapidSSL to me). Betanews ran a nice article (http://www.betanews.com/article/Security-researcher-Trivially-easy-to-buy-SSL-certificate-for-domain-you-dont-own/1270072287), and not much else happened for a while.
Things finally got rolling when a Bugzilla report was filed (Bug 556468, which was basically a copy of an older bug Bug 477783 concerning Equifax doing basically the same thing). A Verisign representative confirmed they had removed a bunch of problematic email addresses they allowed, but ssladmin@ was still valid (this turned out to be a mistake as you’ll soon see).
Fast forward about two weeks and someone has copied my article and thrown in a few screen shots and submitted it to Slashdot (http://news.slashdot.org/story/10/04/18/1218212/Become-an-SSLAdmin-In-a-Few-Easy-Steps) personally I don’t mind if people copy my work and build off of it, but when they protray it as their own original work with no credit or original source mentioned that is a bit annoying.
Although annoying it had the benefit of showing the world that by using the ssladmin@ email address (remember, the one Verisign didn’t remove) which resulted in the rather quick disabling of it:
VeriSign will be removing the following generic approver email options for GeoTrust and RapidSSL as of tonight or tomorrow night:
– ssladmin, sysadmin, and info
So I guess in the end it worked, certificates are hopefully a little more secure now but the sad thing is I spent several dozen hours basically holding vendors feet to the fire for something they should have been doing all along.
Oh and there is no way to find out if a certificate authority has issued a certificate for your domain to someone else. Unlike DNS/etc. there is no way to query what certificates have been issued.