SSL Seriously? [Update] [en]

I just ordered a muilti-domain SSL-certificate for 3 of the websites that are run by my company. It’s a simple domain-validated certificate, so they sent me a validation e-mail to the webmaster address of the domain.

Yes, you heard right! I’m saying the domain, cause they only bothered to validate one of the three Domains mentioned in the CSR!!! However, I’m now in possession of an SSL-certificate that is perfectly valid for all 3 of our websites!

They did not seem to bother doing any validation at all for the other two domains. Yes, I did send them scans of some legal papers related to our company. And yes, in theory they could have cross-checked this with the authorities and with the DNS and whois records. But I really doubt they did that, since I didn’t get any feedback regarding the other two domains.

I did not install the certificate on our webservers yet, ’cause I’ll be out of office the next couple of days. (Don’t want to risk trouble due to something stupid I might do while installing it.) However, the certificate looks perfectly valid, and the root of the certificate chain, is a built-in CA in most common browsers. I’ll report back once I’ve actually put the certificate into real-life use…

[Update] By now I’ve installed the certificate, and in deed it works flawlessly for all 3 domains. [/Update]

I also plan to confront the Issuer, and ask why they do such sloppy validation!?Any one could have obtained such an SSL certificate for our domains this way!

[Update] It took some time, but at last I found the time to send a little inquery to the Issuer. They were very quick to reply that they did indeed perform domain-validation. They assured they did it by means of legal papers and whois-records. As mentioned above I consider this a feasible approach to domain-validation in this specific situation. Maybe my suspicion was unjustified? However, it still smells sort of fishy, since they did not bother to tell me right away how they did domain-validation.
And even if this particular Issuer did a good job, I bet there are others who are more sloppy! [/Update]

I mean, I’m well aware that it’s easy to obtain fake SSL-certificates. There was a real nice presentation on the issue at the last CCC congress. Also, Fefe’s Blog had a german post that sums up the SSL dilema some while ago. However, I never would have thought that messing with SSL is so ridiculously easy! To me, it just happened by accident!

Leave a comment