Internet certification authorities (CAs) are charged with the task of vouching for the identities of secure web servers. When you browse to https://www.wellsfargo.com/, your browser knows it’s the real wellsfargo.com because VeriSign, a CA, says it is.
However, if CAs don’t validate the identities of the sites they vouch for, the whole system breaks down. In this post, I’ll discuss one way in which CAs frequently fail.
Using data in EFF’s SSL Observatory, we have been able to quantify the extent to which CAs engage in the insecure practice of signing certificates for unqualified names. That they do so in large numbers indicates that they do not even minimally validate the certificates they sign. This significantly undermines CAs’ claim to be trustworthy authorities for internet names. It also puts internet users at increased risk of network attack.
While users are increasingly familiar with the padlock symbol in their browsers and are told to trust that and other indicators that a site they are visiting is secure, the EFF’s investigation reveals that some of this trust may be misplaced. What is even more worrying is that the more secure, extended validation certificates are also being issued for unqualified domains:
George Macon at Georgia Tech has also used the Observatory to investigate the unqualified names problem. For example, he isolated the CAs that sign unqualified names, and counted how many times each one did so. (GoDaddy is by far the worst offender.) He also identified some extended-validation certificates that are issued to unqualified names. In January 2011, when he ran his analysis, ten of the twenty-eight unqualified EV certificates were still valid.
These practices undermine trust in the overall system and that is fairly problematic for obvious reasons. Fortunately the post does include suggestions for how various parties can help remedy the situation to a degree.