Did you know: Lawyers can certify web domain ownership? Well, not no more they ain't
Legal letters, Whois no longer good for obtaining HTTPS certs
Lawyers will no longer be allowed to certify someone's ownership of an internet domain name, and the public Whois no longer represents proof of ownership, when it comes to assigning security certificates to site owners.
That means, for example, you can no longer pay a lawyer $500 to write you a letter asserting you own a particular domain name, and use that to obtain an SSL/TLS cert for it, nor use the Whois database to back up your claims of ownership. These two security loopholes were shut down this week in revised rules for Certificate Authorities (CAs) – the folks that issue, typically via intermediaries, HTTPS certificates for websites.
Internet users are reliant on these digital certificates to encrypt and protect their connections when they visit a HTTPS website, and the site's cert must match its domain name. So if you want a certificate for supercyberbadgers.com, you usually have to demonstrate you own or administrate it before the cert is issued.
Thanks to Google's decision to flag up any site without such a certificate as insecure in its Chrome browser, these certs have become essential. Google's search engine also favors secure sites, and, of course, there are many other benefits to encrypting your site's traffic – and these days free certs are available.
The whole system is under scrutiny. Code-signing certs were found on black markets. Millions of old paid-for Symantec-issued web certificates were killed off after it was discovered the biz has failed to follow CA "baseline requirements" and allowed several organizations to issue their own certificates through its systems without appropriate oversight.
It is those "baseline requirements" that are being revised to remove the Whois and lawyer letters as legitimate forms of authentication for identifying who owns and operates a particular domain name.
In March last year, the joint CA/Browser Forum – which decides on the rules – voted to scrap a vaguely worded part of the rules where a CA could use "any other method of confirmation which has at least the same level of assurance as those methods previously described" and replace it with a list of approved methods.
Whowas
That vote was unanimous. However, a more contentious vote in February this year also scrapped the lawyer and Whois methods of authentication. Previously a lawyer was able to write a letter asserting someone's ownership of a particular domain name, and it could be accepted as proof of ownership. However, the CAs decided this was not a very secure system since lawyers are "generally not qualified to evaluate" domain ownership, according to the man who proposed the motion, Tim Hollebeek of DigiCert.
The Whois method allowed a CA to compare the name and address of the domain owner in the public Whois database to the certificate applicant and approve the application if they matched.
But in another sign that the fiercely protected Whois service isn't worth the paper it isn't written on, the CAs decided this also represented a security risk because people simply make up false Whois details and internet overseer ICANN fails to require a decent level of authentication.
Not everyone was on board with the change however: of the 22 CAs, 14 voted yes – basically all the ones you have heard of – four abstained (Actalis, Disig, HARICA, OATI) and four voted against the change (Buypass, Chunghwa Telecom, Entrust Datacard, SwissSign). All five browser makers voted yes (five? Yes, Comodo apparently has a browser called "Dragon" based on Chromium. Who knew?)
But with 78 per cent of CAs voting yes, it passed, and as of August 1 – yesterday – the new rules came into force. It's not clear that everyone will follow the rules straight away but if a CA is discovered to be using the now-obsolete validation methods, they risk have the certificate revoked – and security researchers will no doubt be looking out for just this sort of behavior.
Walk through
The process has been covered in some detail by Hollebeek in a blog post. It's worth noting that his company, DigiCert, is also the company in charge of cleaning up Symantec's certificate mess – something that he says has been completed.
We spoke to Hollebeek, who views the changes as a critical step in staying ahead of cybercriminals. "There is always a certain amount of angst when there is a ballot to change the baseline requirements," he told us, "but the threat landscape is constantly changing and we have to get better and better."
With that in mind, Hollebeek says he will continue pushing to tighten up the validation rules further to limit the opportunity for dodgy certs. CAs have a set of best practices that a future ballot will propose pulling into the official requirements – such as requiring a CA to ask for an applicant by name. There is also a proposal that would require CAs to say in their certificate which method was used to validate a domain – something that could prove useful in identifying future security gaps.
Hollebeek stresses, however, that no one method of validation is perfect, and that some which are perfectly good in one context may be risky in another – for example an agreed website change that could be carried out by a third party on an e-commerce website, or a user account in an online publishing system.
Other approaches that provide a decent level of security: email from the same domain name; agreed changes to a domain's DNS records; a test certificate; a phone call; an associated IP address; and, of course, DNSSEC and DANE.
In short, while digital certificates are not foolproof, it will be increasingly difficult for scammers and malware folk to get hold of a legit certificate. Combined with browsers' warning against websites without such a certificate, the overall security of the internet should be bumped up a little – which can only be a good thing. ®