SSL errors rife among certification authorities

Research from the Electronic Frontier Foundation (EFF) has shown that large numbers of certification authorities are signing off on unqualified domains, with GoDaddy the worst offender.

Data from the EFF's SSL Observatory project, which has analysed all publically visible IPv4 SSL certificates, found 37,244 unqualified domain names that had been signed off by certification authorities.

These were typically multiple variants of ‘localhost' or ‘exchange', and their existence could cause a security threat from man-in-the-middle attacks.

Chris Palmer, technology director of the EFF, told V3.co.uk that there is no way of knowing at present whether the unqualified domains are being used maliciously.

However, the EFF is working on a browser plug-in to aid the scanning effort and help determine whether malicious activity is taking place.

Nevertheless, the research showed gaping holes in the practice of some certification authorities, Palmer said, and the scale of the problem means that very little is being done to address it.

"Maybe it's a few bad apples, but they're very big apples. When Comodo got hit we checked to see what would happen if we stopped trusting their certificates and found 84,000 domains that would be blocked. People are afraid to touch this scale of problem," he said.

There are some hopeful signs, however. Browser manufacturers are looking into solutions, and Mozilla has opened a discussion on the topic today.

Since there are only four key browser manufacturers controlling the vast bulk of the market, there are fewer people to co-ordinate than trying to get agreement from hundreds of certification authorities.

The certification authorities sector is also addressing the problem by setting up the CA/Browser Forum, which looks at ways to modify best practice. Palmer said that he had been encouraged by the constructive way the group handled criticism of current practices.

"The CA/Browser Forum recognises and appreciates the work of the EFF's SSL Observatory," said the group in a statement.

"The data gathered by the EFF will help analyse certificate issuance practices, and hopefully identify areas where certification authorities can improve security and operations.

"The CA/Browser Forum, a consortium of certification authorities and browser developers, supports this relatively recent EFF endeavour."

Palmer will also publish further research showing misallocation of top level domains (TLDs). There should be around 300 TLDs, but the survey had shown over 1,200.