I have a domain, where some other users have access to upload files, use email, use XMPP, etc.
How can I prevent that these users go to a certificate authority and get a certificate for my domain? Unless the CA requires personal contact, how do they technically proof ownership of a domain?
(Assuming a somewhat "trusted" CA, i.e., one in the lists of browsers. This is not about how they should do it, but how they are or might be doing it in practice. One CA with a weak process would be sufficient for being compromised.)
- Should I disallow uploading/editing files in a specific location, with a specific name? Is there some kind of reserved file location/name for owner verification?
- Should I disallow giving out specific email adresses? Are there reserved addresses used by CAs?
- Or is the email address from the Whois used? But what if there is no email specified?
- Should I disallow giving out specific Jabber IDs? Do any CAs use XMPP at all?
- Any other protocols that might be used? Something in the DNS?
(This question is related, but it’s about attackers that shouldn’t have access to the server in the first place. In my case, however, I want to give access to people; I just want to be sure what I shouldn’t allow them to do.)
Update: It seems like a Finnish man was able to demonstrate this "attack" by issuing a certificate for the domain
live.fi by having the address
Last year, I made a bet with a friend that I can get a browser-trusted certificate with his domain name in order to launch a successful MiTM attack on his login form to steal his password. Long story short: I lost the bet; I wasn't able to convince any of the 16 CAs I contacted that I'm the legitimate owner of the domain.
Even though I had an email account on his mail server and had FTP access to a user directory under the WWW directory.
Let's go back a little. What do CAs do before issuing you a basic certificate? They have a process called Domain Control Validation (DCV). The good news is that DCV makes it difficult for somebody to issue a certificate on your behalf. The bad news is that each CA can make custom amendments and modifications to the DCV, which makes it impossible to tell which CA will be the weakest link.
Generally speaking, CAs use one of the following methods:
1. Domain Email Validation: They will send you a verification link/code to one of the following email addresses:
2. Domain CNAME Validation: They will ask you to create a custom CNAME entry. It usually involves hashes of your Certificate Signing Request (CSR) or a randomly-generated key of their choice. An example of such entry is
<MD5(CSR)>.yourdomain.com. CNAME <SHA1(CSR)>.CA.com
3. HTTP Request Validation: They will ask you to upload a specific text file to the root of your domain. The file should be accessible with the following HTTP request
And it should contain
Interesting findings: During my "challenge", I managed to get one CA (SSL.COM) to agree on uploading the text file to
Domain/MyUserName/Something.txt and email me the verification link to
[email protected]. However, they insisted that they must verify me with a phone call to the number in the WHOIS records. I also found out that some CAs require a phone as a first-step verification, even before the email verification. Such CAs don't issue certificates for domain names using privacy options.
So, to directly answer your question, prevent your users from creating special email addresses (mentioned above. You also might want to add
[email protected], etc; prevent your users from creating CNAME entries; and, finally, prevent them from adding files to the root of your domain.
Note: Just because 16 CAs turned out to be good, it doesn't mean that there aren't ones out there that are willing to compromise in the name of "customer convience".
In my experience, the CA's will do one of two things:
- Send a challenge email to the domain owner as listed in the WHOIS.
- Request the customer to create a custom, but temporary DNS record.
Sometimes they may ask both.
Since this answer is somewhat anecdotal, I would suggest that you implement strong security regardless of whether they can create fake certificates or not. Google Apps for example requests sites to create a CNAME record, but will accept an HTML document uploaded instead. While this is not a CA, they are still working with verifying domain ownership.
Generally, having a user able to upload content to your website is problematic.