“The industry-accepted standard for confirming someone is who they say they are and that they control a domain is that ‘the CA takes reasonable measures to verify,’ which is very ambiguous at best and meaningless at worst,” wrote world-renowned security expert Kurt Seifried in an article on SSL security keys published in the May 2010 issue of Linux Magazine.
Two university researchers discovered at a recent security conference that security companies often deal with governments that can compel certificate authorities to produce SSL security keys for them, which Betanews reported last week. Those keys can then be used to sign certificates as any other Web site, enabling a law enforcement authority — hypothetically speaking, of course — to spoof virtually any other site.
World-renowned security expert Kurt Seifried, author of numerous books on Linux system administration, network security, and cryptography, contacted Betanews on Wednesday. In the May 2010 issue of Linux Magazine, Seifried reports on his own discovery, which goes one very critical step further: You don’t need to be a government, he found, to compel a certificate authority (CA) to issue an SSL certificate for a major Web mail service of your choice. You just need a valid credit card.
“Brief summary: One way to get certificates for domains you don’t own: 1) Find a free Web mail provider. 2) Register an account such as ssladmin. 3) Go to RapidSSL.com and buy a certificate. When given the choice of what email address to use, simply select ssladmin. 4) Go through certificate registration process (this takes about 20 minutes). 5) You will now have a secure Web certificate for that Web mail provider,” Seifried told Betanews Wednesday afternoon.




