The SSL infrastructure is based, in a large sense, on trust. We trust that vendors of the software that checks certificates will only trust the roots of certificate authorities that are trustworthy, and that means CAs that check to see that the applicant for a certificate is who he says he is.
Unfortunately, there are no real standards for how to verify identity of an applicant for a conventional SSL certificate. This is one of the main motivations behind EV-SSL, for which there is a defined standard for authentication of applicants.
But even for conventional SSL certs, you’d think there would be some verification done, but it’s not always the case. Thus, we have the case of a Comodo reseller attempting to scam users into buying certs under false pretenses and then selling a cert for mozilla.com to someone with no affiliation with that organization.
Eddy of startcom.org had been getting annoying “reminder” e-mails for renewing his certificate from a company from which he did not buy that certificate. If you own a domain name, you’ve probably gotten these notes from other, shady domain registrars. Some even send them snail mail. As part of attempting to learn who these clowns were, Eddy bought a certificate from them for the domain mozilla.com. If you do a whois on mozilla.com, you’ll see it’s listed to DNS Admin, Mozilla Corporation, with a real Mountain View, Calif., address and what look like real phone numbers and e-mail addresses.
The certificate vendor that Eddy was dealing with is Certstar, apparently a Danish company and a reseller for Comodo, a legitimate CA (although Certstar’s own certificate comes from Equifax). I sent a note to Comodo about this not too long ago, so they haven’t got back to me yet, but in the meantime I found a response they posted to an e-mail list operated by Eddy:
“Eddy,As I noted in my prior correspondence, Comodo has undertaken an internal review of the Certstar reseller account. We have informed CertStar that their email violates their contractual obligation to refrain from sending unsolicited emails and that their email could be interpreted as misleading and confusing to the customer. During our review, we discovered that Certstar had apparently issued a certificate to mozilla.com without validating control of the domain. We immediately revoked the certificate (prior to your posting) and have suspended Certstar’s reseller activities until our investigation has been completed. Please let me know if you have any further problems.RegardsRobin AldenComodo“
Under the circumstances, they seem to be doing what they can, although the circumstances are somewhat of their own making. It all raises a lot of questions:
- It appears that Comodo affiliates do the verification, not Comodo itself. This surprises me. Is it typical of SSL affiliate relationships?
- How about EV-SSL? Is it sold through affiliates?
- Will Comodo now review other sales that Certstar has made for such problems?
- Which other CAs have affiliate relationships, and are they reviewing them as well?
EV-SSL can’t be the answer for the mainstream because it’s very expensive, essentially by design. It’s meant to protect very high-value sites. There are, as I said, no standards for plain old vanilla SSL, but there are CA policies and the contracts they have with resellers. If Comodo’s name is to continue to have value, it can’t say this problem begins and ends with this incident, or even just with Certstar. It has to make clear to the public what it expects of resellers and how it enforces that policy. In fact, all CAs need to do this.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s blog Cheap Hack.