A fascinating blog post by Keyboard Cowboy details his efforts to expose a flaw in the granting of SSL certificates. The summary of the story is that many CAs (Certificate Authorities) grant SSL certificates to domains by sending an e-mail to an administrator’s e-mail account on that domain such as “administrator” or “postmaster.” Some companies include “ssladmin” in the list of authoritative addresses and many free web mail services allow that particular address to be registered by anyone, making it possible to get yourself a certificate for the web mail domain.
This particular exploit strikes me as being almost social engineering. It’s not, technically, because it doesn’t involve interaction with a person but the hole exists because of a lack of communication between the web mail providers and the CAs. Imagine if CAs decided to add another address to the list of usable ones, such as “securityadmin?” Unless all web mail providers were informed, this would just re-open the hole.
It brings to mind the idea that all security systems are tradeoffs. Every system that increases security in one way reduces it in another. SSL certificates are certainly a boon to online security, they make web commerce possible. But the realities of issuing certificates makes it so that not all SSL certificates can be trusted. So that even if you are diligent in looking for the https: and a valid certificate, your trust may be misplaced and you’ll be less secure than if you didn’t trust any site.
It’s important to keep this in mind when designing security solutions and policies. Always try to identify how this new policy will reduce security. Complex password requirements are more secure, but also more likely to be written down. Time consuming door entry procedures increase the likelihood of tail-gaters. Police radios help police to coordinate activities, but scanners let the criminals keep an eye on them. I would submit that if you are looking at a new security policy and haven’t been able to identify the ways in which it harms security, then you haven’t thought it through enough to implement.
Follow me on Twitter @AdamRuth