Free SSL

Free SSL + Free Vulnerabilities

July 15, 2016 | By Comodo SSL

The StartEncrypt tool is reported to have a severe vulnerability that would allow malicious hackers to acquire SSL certificates for domains that are not owned or controlled by them. In simple terms, it would mean that cyber criminals would be able to get SSL certificates for any domain – facebook, twitter, google, youtube, wikipedia, amazon, microsoft, apple, bbc, Nytimes, cnn, imdb, nih, etc.., And even YOUR domain.

The StartEncrypt tool has been developed by StartCom, a Certificate Authority (CA) that is known for its StartSSL service. StartCom, with good intentions, has offered the tool for free, which would allow easy installation of free SSL certificates on servers. The installation process for SSL certificates is some times a chore and this tool promises to ease the process.

Buy SSL

However, even for issuance of FreeSSL certificates the CA has to validate the domain for which the SSL certificate is being requested for. The process called – Domain Validated – involves verifying whether the domain is under the control of the entity or person requesting the SSL certificate. Typically, CAs perform an “email challenge” – send an email to the domain asking them to respond to the email or upload a specific file. As the name implies, this is just a Domain Validated certificate and this process is usually automated and does not involve any manual intervention.

There are other types of SSL certificates that involve different validation  processes. For Organization Validated and “Extended Validation” certificates the organization is also verified. These involve paperwork and more detailed verification. Considerable cost is involved, and hence is not offered for free.

However, as a Free SSL is provided free of cost, most, or all CAs that issue them have automated the process. This is where the vulnerabilities have been observed with some providers.

The StartEncrypt Tool Process

The StartEncrypt Tool is capable of running on both Windows and Linux servers. When the tool is installed on the server and run it:

  • Detects the webserver configuration
  • Identifies the domains in the configuration
  • Requests Domain Validated SSL certificates
  • The StartCom API sends a http request to the website of the domain for which the SSL certificate is being requested for
  • It checks whether the applicant or requester has actual access to, and control of the website
  • If the validation is successful then the API sends a SSL certificate to the client which is then installed in the web configuration.

The Bugs:

The Client in the StartEncrypt Tool has been found to have numerous vulnerabilities. 

Specifying file path

In order to verify if the requester of the SSL certificate is the actual controller of the domain, the API downloads a signature from the domain from the “/signfile” path. This path can be specified by the client – and this is the vulnerability. This path can be specified to any file located on the server, which would provide the validation. Hence, certificates can be obtained for any domain!

Following Redirects

The StartCom API follows redirects. This vulnerability allows the API to follow any redirects even to other off-domains till it acquires the necessary proof. Hence, any website that has the “open redirect” vulnerability, or allows users to upload files and then serves back the files in raw format are vulnerable.

The “open redirect” cannot be considered as a vulnerability by itself as this feature is utilized in many logout pages; however, the combination of the path bug and the “open redirect” bug is a severe vulnerability which would allow the hacker to obtain SSL certificates for other websites that have open redirect feature.

Cyber security experts report that they have discovered numerous other vulnerabilities too.

  • The server’s certificate is not checked for validity
  • A “Duplicate-Signature Key Selection” attack is possible.

In conclusion, cyber security experts comment that the StartEncrypt Tool is not secure. It would be wise to obtain SSL certificates from more reputed CAs, who take security of applications seriously.

Wildcardssl

<<
Why ssl certificate the best security tool

Make online payment easier with ssl certificate >>

Posted in Free SSL

Be Sociable, Share!

Leave a Comment


 


* fields are mandatory