SlideShare a Scribd company logo

The life and times of Hanz Ostmaster: Email verification issues in SSL certificates

Download as PPTX, PDF
BSidesROC
BSidesROC

This document discusses security issues with SSL certificate validation processes that rely on email verification. Specifically, it describes how many certificate authorities would accept registration emails to common addresses like admin@domain.com, allowing attackers to potentially obtain fraudulent certificates. The document outlines the fixes made to certification policies to address this, but notes there are still avenues of abuse if certain email providers do not properly validate ownership of addresses.

Technology
1 of 24
The life and times of Hanz Ostmaster By Hanz Ostmaster
Chaim Sanders  Trustwave  Security Researcher  Member of Spiderlabs Research  Web Server Security Team  Offer support, development, and consulting for ModSecurity  Supports the OWASP Core Rule Set  Work with Trustwave WAF  Rochester Institute of Technology  Professor (Cryptography and Web Security)  Prior  Security Consulting (Pentesting, Red-teaming, Code Review, etc)  Governmental Consulting Background
Crypto and you  Generally speaking the area of research regarding secret writing and methods for attacking these secret writings has been of interest  Cryptography – Development of enciphered writings  Cryptanalysis – Attacking of enciphered writing schemes  Why do I care?  Since the mid 80’s we’ve seen cryptographic systems evolve from tools of military interest to common usage within our daily lives.  To counter this many (governmental) organizations that have come to rely on their ability to in some way compromise crypto.
Asymmetric Crypto  There are many different areas of Cryptography
Asymmetric Crypto and this talk  One of the biggest uses of asymmetric crypto into todays infrastructure is for securing communication between webservers  Why might this be of interest?  How do we ensure speed?  Asymmetric crypto has two very nice features  One is scale, as we previously discussed  The other is that they often have support for digital signatures  What is a digital signature.
What is SSL  SSL stands for Secure Sockets Layer and it is a standard security technology for establishing an encrypted link between a server and a client  First SSL Certificate was created in 1994 by Netscape Communications  SSL Certificate issuers are called Certificate Authority or CA’s  SSL allows sensitive information such as credit card numbers and social security numbers to be transmitted securely  Required by the Payment Card Industry (PCI) to have an SSL Certificate  Main component of SSL Certificates are keys which are the Public and Private key
Design Requirements of Asymmetric System  The main design requirement is that all parties trust this Certificate Authority  Additionally, the certificate authority must only issue certificates to legitimate hosts  The question becomes how does a CA like Symantec verify that individuals are responsible for legitimatize hosts.  This is the interest of todays talk.
Host verification  There are a number of different methods that ICANN has specified for allowing CA’s to verify users:  HTTP Validation – Can be performed by uploading a special text/html file into the root directory of the domain name.  DNS-based validation - For this validation method you need to create a certain CNAME record in the DNS settings of your domain.  Email Validation – Users will be validated by an email that belongs to the domain
Email based authentication  Until late 2015 the email addresses that were allowed to be specified by the CA. This might be an interesting problem  Cert Vulnerability note 591120 (March 27th 2015)  Multiple SSL certificate authorities use predefined email addresses as proof of domain ownership  16 certificate authorities were listed as affected (others unknown)  What is the problem  If an admin is not aware of sensitive email addresses and assigns them this can lead to a certificate being issued for their domain
Problem Children  admin@yourdomain.com  administrator@yourdomain.com  webmaster@yourdomain.com  ssladmin@yourdomain.com  root@yourdomain.com  hostmaster@yourdomain.com  postmaster@yourdomain.com  ssladministrator@yourdomain.com  it@yourdomain.com
The Fix  Most documents including the Mozilla CA Certificate Inclusion Policy and the CA/Browser baseline requirement documents the addresses that can be used should be limited to those specified in RFC2142  MAILBOX NAMES FOR COMMON SERVICES, ROLES AND FUNCTIONS  The only exception is also the domain listed in the WHOIS contact  This largely solved the underlying problem but every CA in existence needs to update their policies otherwise the issue isn’t fixed  This is mostly a problem where people can choose their own email registration names or they are given based on a known theme. Hence the title.
The problem shown.
An exercise best left to the reader  Now all you would have to do is find a CA that still allows registering that email address and poof mail.rit.edu SSL cert.
With the update
What are these addresses  PostMaster@example.com  Reserved for SMTP  Hostmaster@example.com  Reserved for DNS  Webmaster@example.com  Reserved for Web
The new problem  Not everyone realizes that these addresses must be registered when setting up a webserver that will use SSL  Or email that will use SSL, etc.  These email addresses are not well known. For instance hostmaster is no a widely recognized email address
A New Twist on a New Problem  If these are registered then we are fine.  But is there a situation where we might still be able to access other peoples email?  Where individuals might forget about this concept?  Enter Bill Stackpole
Anonymous email access
Breaking the bank  Mailinator is actually the only one I haven’t broken yet.  Well this isn’t strictly speaking true…  However often these are so simple where I can just search hostmaster@xyz.com
Other issues  Often these are slightly more secure and require that I be clever.  However…  Often these systems will try and be intelligent about their email address understand, but not about security  For instance, spaces, dots, null characters, etc.
Just a few off my hit list
Recently in the news
General Fixes  Don’t allow email verification  Communication among CAs would prevent this  It will also help security as a whole  Pinning certificates

Recommended

All About SSL/TLS
All About SSL/TLSAll About SSL/TLS
All About SSL/TLSRapidSSLOnline.com
 
How does ssl work
How does ssl workHow does ssl work
How does ssl workDana Tierney
 
Understanding transport-layer_security__ssl
Understanding transport-layer_security__sslUnderstanding transport-layer_security__ssl
Understanding transport-layer_security__sslMainak Goswami
 
Securing the e marketing site
Securing the e marketing siteSecuring the e marketing site
Securing the e marketing sitegaurav jain
 
facebook architecture for 600M users
facebook architecture for 600M usersfacebook architecture for 600M users
facebook architecture for 600M usersJongyoon Choi
 
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureBrian Ritchie
 
Microsoft Exchange Server & SSL Certificates: Everything you need to know
Microsoft Exchange Server & SSL Certificates: Everything you need to knowMicrosoft Exchange Server & SSL Certificates: Everything you need to know
Microsoft Exchange Server & SSL Certificates: Everything you need to knowCheapSSLsecurity
 
Understanding The World Of SSL Certificates.pdf
Understanding The World Of SSL Certificates.pdfUnderstanding The World Of SSL Certificates.pdf
Understanding The World Of SSL Certificates.pdfWebGuru Infosystems Pvt. Ltd.
 

Recommended

All About SSL/TLS
All About SSL/TLSAll About SSL/TLS
All About SSL/TLSRapidSSLOnline.com
 
How does ssl work
How does ssl workHow does ssl work
How does ssl workDana Tierney
 
Understanding transport-layer_security__ssl
Understanding transport-layer_security__sslUnderstanding transport-layer_security__ssl
Understanding transport-layer_security__sslMainak Goswami
 
Securing the e marketing site
Securing the e marketing siteSecuring the e marketing site
Securing the e marketing sitegaurav jain
 
facebook architecture for 600M users
facebook architecture for 600M usersfacebook architecture for 600M users
facebook architecture for 600M usersJongyoon Choi
 
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureBrian Ritchie
 
Microsoft Exchange Server & SSL Certificates: Everything you need to know
Microsoft Exchange Server & SSL Certificates: Everything you need to knowMicrosoft Exchange Server & SSL Certificates: Everything you need to know
Microsoft Exchange Server & SSL Certificates: Everything you need to knowCheapSSLsecurity
 
Understanding The World Of SSL Certificates.pdf
Understanding The World Of SSL Certificates.pdfUnderstanding The World Of SSL Certificates.pdf
Understanding The World Of SSL Certificates.pdfWebGuru Infosystems Pvt. Ltd.
 
Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of TrustYousof Alsatom
 
Authentication & Reputation, Adding Business Value In The Real World
Authentication & Reputation, Adding Business Value In The Real WorldAuthentication & Reputation, Adding Business Value In The Real World
Authentication & Reputation, Adding Business Value In The Real Worldjprice
 
Chapter 2 System Security.pptx
Chapter 2 System Security.pptxChapter 2 System Security.pptx
Chapter 2 System Security.pptxRushikeshChikane2
 
Lotusphere 2011 SHOW104
Lotusphere 2011 SHOW104Lotusphere 2011 SHOW104
Lotusphere 2011 SHOW104WorkFlowStudios
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Kimberley Dray
 
Identity, Security and XML Web Services
Identity, Security and XML Web ServicesIdentity, Security and XML Web Services
Identity, Security and XML Web ServicesJorgen Thelin
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ONOWASP EEE
 
Digital Certificates @ ResellerClub
Digital Certificates @ ResellerClubDigital Certificates @ ResellerClub
Digital Certificates @ ResellerClubResellerClub
 
Balancing Cloud-Based Email Benefits With Security
Balancing Cloud-Based Email Benefits With SecurityBalancing Cloud-Based Email Benefits With Security
Balancing Cloud-Based Email Benefits With SecuritySymantec
 
SSL f or WordPress Websites
SSL f or WordPress WebsitesSSL f or WordPress Websites
SSL f or WordPress WebsitesPaul Cook
 
Let's Encrypt + DANE
Let's Encrypt + DANELet's Encrypt + DANE
Let's Encrypt + DANEDeploy360 Programme (Internet Society)
 
Owasp Forum Web Services Security
Owasp Forum Web Services SecurityOwasp Forum Web Services Security
Owasp Forum Web Services SecurityMarco Morana
 
4 Major Reasons for Big Organizations to Have Wildcard SSL Certificates
4 Major Reasons for Big Organizations to Have Wildcard SSL Certificates4 Major Reasons for Big Organizations to Have Wildcard SSL Certificates
4 Major Reasons for Big Organizations to Have Wildcard SSL CertificatesCheapSSLsecurity
 
White paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLWhite paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLGlobalSign
 
ssl's guide
ssl's guidessl's guide
ssl's guideShakil Malik
 
Lecture17
Lecture17Lecture17
Lecture17Châu Thanh Chương
 
A Complete RapidSSL Guide on Securing Online Business with SSL Certificate
A Complete RapidSSL Guide on Securing Online Business with SSL CertificateA Complete RapidSSL Guide on Securing Online Business with SSL Certificate
A Complete RapidSSL Guide on Securing Online Business with SSL CertificateRapidSSLOnline.com
 
The Hidden Costs of Self-Signed SSL Certificates
The Hidden Costs of Self-Signed SSL CertificatesThe Hidden Costs of Self-Signed SSL Certificates
The Hidden Costs of Self-Signed SSL CertificatesCheapSSLsecurity
 
The Hidden Costs of SelfSigned SSL Certificates
The Hidden Costs of SelfSigned SSL Certificates The Hidden Costs of SelfSigned SSL Certificates
The Hidden Costs of SelfSigned SSL Certificates RapidSSLOnline.com
 
Can blockchain replace your password and make it more secure
Can blockchain replace your password and make it more secureCan blockchain replace your password and make it more secure
Can blockchain replace your password and make it more secureBlockchain Council
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdfCompetition Advisory Services (India) LLP
 

More Related Content

Similar to The life and times of Hanz Ostmaster: Email verification issues in SSL certificates

Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of TrustYousof Alsatom
 
Authentication & Reputation, Adding Business Value In The Real World
Authentication & Reputation, Adding Business Value In The Real WorldAuthentication & Reputation, Adding Business Value In The Real World
Authentication & Reputation, Adding Business Value In The Real Worldjprice
 
Chapter 2 System Security.pptx
Chapter 2 System Security.pptxChapter 2 System Security.pptx
Chapter 2 System Security.pptxRushikeshChikane2
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Kimberley Dray
 
Identity, Security and XML Web Services
Identity, Security and XML Web ServicesIdentity, Security and XML Web Services
Identity, Security and XML Web ServicesJorgen Thelin
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ONOWASP EEE
 
Digital Certificates @ ResellerClub
Digital Certificates @ ResellerClubDigital Certificates @ ResellerClub
Digital Certificates @ ResellerClubResellerClub
 
Balancing Cloud-Based Email Benefits With Security
Balancing Cloud-Based Email Benefits With SecurityBalancing Cloud-Based Email Benefits With Security
Balancing Cloud-Based Email Benefits With SecuritySymantec
 
SSL f or WordPress Websites
SSL f or WordPress WebsitesSSL f or WordPress Websites
SSL f or WordPress WebsitesPaul Cook
 
Owasp Forum Web Services Security
Owasp Forum Web Services SecurityOwasp Forum Web Services Security
Owasp Forum Web Services SecurityMarco Morana
 
4 Major Reasons for Big Organizations to Have Wildcard SSL Certificates
4 Major Reasons for Big Organizations to Have Wildcard SSL Certificates4 Major Reasons for Big Organizations to Have Wildcard SSL Certificates
4 Major Reasons for Big Organizations to Have Wildcard SSL CertificatesCheapSSLsecurity
 
White paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLWhite paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLGlobalSign
 
A Complete RapidSSL Guide on Securing Online Business with SSL Certificate
A Complete RapidSSL Guide on Securing Online Business with SSL CertificateA Complete RapidSSL Guide on Securing Online Business with SSL Certificate
A Complete RapidSSL Guide on Securing Online Business with SSL CertificateRapidSSLOnline.com
 
The Hidden Costs of Self-Signed SSL Certificates
The Hidden Costs of Self-Signed SSL CertificatesThe Hidden Costs of Self-Signed SSL Certificates
The Hidden Costs of Self-Signed SSL CertificatesCheapSSLsecurity
 
The Hidden Costs of SelfSigned SSL Certificates
The Hidden Costs of SelfSigned SSL Certificates The Hidden Costs of SelfSigned SSL Certificates
The Hidden Costs of SelfSigned SSL Certificates RapidSSLOnline.com
 
Can blockchain replace your password and make it more secure
Can blockchain replace your password and make it more secureCan blockchain replace your password and make it more secure
Can blockchain replace your password and make it more secureBlockchain Council
 

Similar to The life and times of Hanz Ostmaster: Email verification issues in SSL certificates (20)

Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of Trust
 
Authentication & Reputation, Adding Business Value In The Real World
Authentication & Reputation, Adding Business Value In The Real WorldAuthentication & Reputation, Adding Business Value In The Real World
Authentication & Reputation, Adding Business Value In The Real World
 
Chapter 2 System Security.pptx
Chapter 2 System Security.pptxChapter 2 System Security.pptx
Chapter 2 System Security.pptx
 
Lotusphere 2011 SHOW104
Lotusphere 2011 SHOW104Lotusphere 2011 SHOW104
Lotusphere 2011 SHOW104
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019
 
Identity, Security and XML Web Services
Identity, Security and XML Web ServicesIdentity, Security and XML Web Services
Identity, Security and XML Web Services
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
 
Digital Certificates @ ResellerClub
Digital Certificates @ ResellerClubDigital Certificates @ ResellerClub
Digital Certificates @ ResellerClub
 
Balancing Cloud-Based Email Benefits With Security
Balancing Cloud-Based Email Benefits With SecurityBalancing Cloud-Based Email Benefits With Security
Balancing Cloud-Based Email Benefits With Security
 
SSL f or WordPress Websites
SSL f or WordPress WebsitesSSL f or WordPress Websites
SSL f or WordPress Websites
 
Let's Encrypt + DANE
Let's Encrypt + DANELet's Encrypt + DANE
Let's Encrypt + DANE
 
Owasp Forum Web Services Security
Owasp Forum Web Services SecurityOwasp Forum Web Services Security
Owasp Forum Web Services Security
 
4 Major Reasons for Big Organizations to Have Wildcard SSL Certificates
4 Major Reasons for Big Organizations to Have Wildcard SSL Certificates4 Major Reasons for Big Organizations to Have Wildcard SSL Certificates
4 Major Reasons for Big Organizations to Have Wildcard SSL Certificates
 
White paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLWhite paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSL
 
ssl's guide
ssl's guidessl's guide
ssl's guide
 
Lecture17
Lecture17Lecture17
Lecture17
 
A Complete RapidSSL Guide on Securing Online Business with SSL Certificate
A Complete RapidSSL Guide on Securing Online Business with SSL CertificateA Complete RapidSSL Guide on Securing Online Business with SSL Certificate
A Complete RapidSSL Guide on Securing Online Business with SSL Certificate
 
The Hidden Costs of Self-Signed SSL Certificates
The Hidden Costs of Self-Signed SSL CertificatesThe Hidden Costs of Self-Signed SSL Certificates
The Hidden Costs of Self-Signed SSL Certificates
 
The Hidden Costs of SelfSigned SSL Certificates
The Hidden Costs of SelfSigned SSL Certificates The Hidden Costs of SelfSigned SSL Certificates
The Hidden Costs of SelfSigned SSL Certificates
 
Can blockchain replace your password and make it more secure
Can blockchain replace your password and make it more secureCan blockchain replace your password and make it more secure
Can blockchain replace your password and make it more secure
 

Recently uploaded

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

Recently uploaded (20)

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

The life and times of Hanz Ostmaster: Email verification issues in SSL certificates

  • 1. The life and times of Hanz Ostmaster By Hanz Ostmaster
  • 2. Chaim Sanders  Trustwave  Security Researcher  Member of Spiderlabs Research  Web Server Security Team  Offer support, development, and consulting for ModSecurity  Supports the OWASP Core Rule Set  Work with Trustwave WAF  Rochester Institute of Technology  Professor (Cryptography and Web Security)  Prior  Security Consulting (Pentesting, Red-teaming, Code Review, etc)  Governmental Consulting Background
  • 3. Crypto and you  Generally speaking the area of research regarding secret writing and methods for attacking these secret writings has been of interest  Cryptography – Development of enciphered writings  Cryptanalysis – Attacking of enciphered writing schemes  Why do I care?  Since the mid 80’s we’ve seen cryptographic systems evolve from tools of military interest to common usage within our daily lives.  To counter this many (governmental) organizations that have come to rely on their ability to in some way compromise crypto.
  • 4. Asymmetric Crypto  There are many different areas of Cryptography
  • 5. Asymmetric Crypto and this talk  One of the biggest uses of asymmetric crypto into todays infrastructure is for securing communication between webservers  Why might this be of interest?  How do we ensure speed?  Asymmetric crypto has two very nice features  One is scale, as we previously discussed  The other is that they often have support for digital signatures  What is a digital signature.
  • 6. What is SSL  SSL stands for Secure Sockets Layer and it is a standard security technology for establishing an encrypted link between a server and a client  First SSL Certificate was created in 1994 by Netscape Communications  SSL Certificate issuers are called Certificate Authority or CA’s  SSL allows sensitive information such as credit card numbers and social security numbers to be transmitted securely  Required by the Payment Card Industry (PCI) to have an SSL Certificate  Main component of SSL Certificates are keys which are the Public and Private key
  • 7. Design Requirements of Asymmetric System  The main design requirement is that all parties trust this Certificate Authority  Additionally, the certificate authority must only issue certificates to legitimate hosts  The question becomes how does a CA like Symantec verify that individuals are responsible for legitimatize hosts.  This is the interest of todays talk.
  • 8. Host verification  There are a number of different methods that ICANN has specified for allowing CA’s to verify users:  HTTP Validation – Can be performed by uploading a special text/html file into the root directory of the domain name.  DNS-based validation - For this validation method you need to create a certain CNAME record in the DNS settings of your domain.  Email Validation – Users will be validated by an email that belongs to the domain
  • 9. Email based authentication  Until late 2015 the email addresses that were allowed to be specified by the CA. This might be an interesting problem  Cert Vulnerability note 591120 (March 27th 2015)  Multiple SSL certificate authorities use predefined email addresses as proof of domain ownership  16 certificate authorities were listed as affected (others unknown)  What is the problem  If an admin is not aware of sensitive email addresses and assigns them this can lead to a certificate being issued for their domain
  • 10. Problem Children  admin@yourdomain.com  administrator@yourdomain.com  webmaster@yourdomain.com  ssladmin@yourdomain.com  root@yourdomain.com  hostmaster@yourdomain.com  postmaster@yourdomain.com  ssladministrator@yourdomain.com  it@yourdomain.com
  • 11. The Fix  Most documents including the Mozilla CA Certificate Inclusion Policy and the CA/Browser baseline requirement documents the addresses that can be used should be limited to those specified in RFC2142  MAILBOX NAMES FOR COMMON SERVICES, ROLES AND FUNCTIONS  The only exception is also the domain listed in the WHOIS contact  This largely solved the underlying problem but every CA in existence needs to update their policies otherwise the issue isn’t fixed  This is mostly a problem where people can choose their own email registration names or they are given based on a known theme. Hence the title.
  • 13. An exercise best left to the reader  Now all you would have to do is find a CA that still allows registering that email address and poof mail.rit.edu SSL cert.
  • 15. What are these addresses  PostMaster@example.com  Reserved for SMTP  Hostmaster@example.com  Reserved for DNS  Webmaster@example.com  Reserved for Web
  • 16. The new problem  Not everyone realizes that these addresses must be registered when setting up a webserver that will use SSL  Or email that will use SSL, etc.  These email addresses are not well known. For instance hostmaster is no a widely recognized email address
  • 17. A New Twist on a New Problem  If these are registered then we are fine.  But is there a situation where we might still be able to access other peoples email?  Where individuals might forget about this concept?  Enter Bill Stackpole
  • 19. Breaking the bank  Mailinator is actually the only one I haven’t broken yet.  Well this isn’t strictly speaking true…  However often these are so simple where I can just search hostmaster@xyz.com
  • 20.
  • 21. Other issues  Often these are slightly more secure and require that I be clever.  However…  Often these systems will try and be intelligent about their email address understand, but not about security  For instance, spaces, dots, null characters, etc.
  • 22. Just a few off my hit list
  • 24. General Fixes  Don’t allow email verification  Communication among CAs would prevent this  It will also help security as a whole  Pinning certificates

Editor's Notes

  1. Additionally, I Lecture at RIT
  2. Others such as sysadmin, info, is, mis, sslwebmaster etc depending on host
  3. If using whois blocking this doesn’t work
  4. Who can tell me about hostmaster