SlideShare a Scribd company logo

The life and times of Hanz Ostmaster: Email verification issues in SSL certificates

Download as PPTX, PDF
BSidesROC
BSidesROC

This document discusses security issues with SSL certificate validation processes that rely on email verification. Specifically, it describes how many certificate authorities would accept registration emails to common addresses like admin@domain.com, allowing attackers to potentially obtain fraudulent certificates. The document outlines the fixes made to certification policies to address this, but notes there are still avenues of abuse if certain email providers do not properly validate ownership of addresses.

Technology
1 of 24
The life and times of Hanz Ostmaster By Hanz Ostmaster
Chaim Sanders  Trustwave  Security Researcher  Member of Spiderlabs Research  Web Server Security Team  Offer support, development, and consulting for ModSecurity  Supports the OWASP Core Rule Set  Work with Trustwave WAF  Rochester Institute of Technology  Professor (Cryptography and Web Security)  Prior  Security Consulting (Pentesting, Red-teaming, Code Review, etc)  Governmental Consulting Background
Crypto and you  Generally speaking the area of research regarding secret writing and methods for attacking these secret writings has been of interest  Cryptography – Development of enciphered writings  Cryptanalysis – Attacking of enciphered writing schemes  Why do I care?  Since the mid 80’s we’ve seen cryptographic systems evolve from tools of military interest to common usage within our daily lives.  To counter this many (governmental) organizations that have come to rely on their ability to in some way compromise crypto.
Asymmetric Crypto  There are many different areas of Cryptography
Asymmetric Crypto and this talk  One of the biggest uses of asymmetric crypto into todays infrastructure is for securing communication between webservers  Why might this be of interest?  How do we ensure speed?  Asymmetric crypto has two very nice features  One is scale, as we previously discussed  The other is that they often have support for digital signatures  What is a digital signature.
What is SSL  SSL stands for Secure Sockets Layer and it is a standard security technology for establishing an encrypted link between a server and a client  First SSL Certificate was created in 1994 by Netscape Communications  SSL Certificate issuers are called Certificate Authority or CA’s  SSL allows sensitive information such as credit card numbers and social security numbers to be transmitted securely  Required by the Payment Card Industry (PCI) to have an SSL Certificate  Main component of SSL Certificates are keys which are the Public and Private key
Design Requirements of Asymmetric System  The main design requirement is that all parties trust this Certificate Authority  Additionally, the certificate authority must only issue certificates to legitimate hosts  The question becomes how does a CA like Symantec verify that individuals are responsible for legitimatize hosts.  This is the interest of todays talk.
Host verification  There are a number of different methods that ICANN has specified for allowing CA’s to verify users:  HTTP Validation – Can be performed by uploading a special text/html file into the root directory of the domain name.  DNS-based validation - For this validation method you need to create a certain CNAME record in the DNS settings of your domain.  Email Validation – Users will be validated by an email that belongs to the domain
Email based authentication  Until late 2015 the email addresses that were allowed to be specified by the CA. This might be an interesting problem  Cert Vulnerability note 591120 (March 27th 2015)  Multiple SSL certificate authorities use predefined email addresses as proof of domain ownership  16 certificate authorities were listed as affected (others unknown)  What is the problem  If an admin is not aware of sensitive email addresses and assigns them this can lead to a certificate being issued for their domain
Problem Children  admin@yourdomain.com  administrator@yourdomain.com  webmaster@yourdomain.com  ssladmin@yourdomain.com  root@yourdomain.com  hostmaster@yourdomain.com  postmaster@yourdomain.com  ssladministrator@yourdomain.com  it@yourdomain.com
The Fix  Most documents including the Mozilla CA Certificate Inclusion Policy and the CA/Browser baseline requirement documents the addresses that can be used should be limited to those specified in RFC2142  MAILBOX NAMES FOR COMMON SERVICES, ROLES AND FUNCTIONS  The only exception is also the domain listed in the WHOIS contact  This largely solved the underlying problem but every CA in existence needs to update their policies otherwise the issue isn’t fixed  This is mostly a problem where people can choose their own email registration names or they are given based on a known theme. Hence the title.
The problem shown.
An exercise best left to the reader  Now all you would have to do is find a CA that still allows registering that email address and poof mail.rit.edu SSL cert.
With the update
What are these addresses  PostMaster@example.com  Reserved for SMTP  Hostmaster@example.com  Reserved for DNS  Webmaster@example.com  Reserved for Web
The new problem  Not everyone realizes that these addresses must be registered when setting up a webserver that will use SSL  Or email that will use SSL, etc.  These email addresses are not well known. For instance hostmaster is no a widely recognized email address
A New Twist on a New Problem  If these are registered then we are fine.  But is there a situation where we might still be able to access other peoples email?  Where individuals might forget about this concept?  Enter Bill Stackpole
Anonymous email access
Breaking the bank  Mailinator is actually the only one I haven’t broken yet.  Well this isn’t strictly speaking true…  However often these are so simple where I can just search hostmaster@xyz.com
Other issues  Often these are slightly more secure and require that I be clever.  However…  Often these systems will try and be intelligent about their email address understand, but not about security  For instance, spaces, dots, null characters, etc.
Just a few off my hit list
Recently in the news
General Fixes  Don’t allow email verification  Communication among CAs would prevent this  It will also help security as a whole  Pinning certificates

Recommended

All About SSL/TLS
All About SSL/TLSAll About SSL/TLS
All About SSL/TLSRapidSSLOnline.com
 
How does ssl work
How does ssl workHow does ssl work
How does ssl workDana Tierney
 
Understanding transport-layer_security__ssl
Understanding transport-layer_security__sslUnderstanding transport-layer_security__ssl
Understanding transport-layer_security__sslMainak Goswami
 
Securing the e marketing site
Securing the e marketing siteSecuring the e marketing site
Securing the e marketing sitegaurav jain
 
facebook architecture for 600M users
facebook architecture for 600M usersfacebook architecture for 600M users
facebook architecture for 600M usersJongyoon Choi
 
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureBrian Ritchie
 
Microsoft Exchange Server & SSL Certificates: Everything you need to know
Microsoft Exchange Server & SSL Certificates: Everything you need to knowMicrosoft Exchange Server & SSL Certificates: Everything you need to know
Microsoft Exchange Server & SSL Certificates: Everything you need to knowCheapSSLsecurity
 
Understanding The World Of SSL Certificates.pdf
Understanding The World Of SSL Certificates.pdfUnderstanding The World Of SSL Certificates.pdf
Understanding The World Of SSL Certificates.pdfWebGuru Infosystems Pvt. Ltd.
 

Recommended

All About SSL/TLS
All About SSL/TLSAll About SSL/TLS
All About SSL/TLSRapidSSLOnline.com
 
How does ssl work
How does ssl workHow does ssl work
How does ssl workDana Tierney
 
Understanding transport-layer_security__ssl
Understanding transport-layer_security__sslUnderstanding transport-layer_security__ssl
Understanding transport-layer_security__sslMainak Goswami
 
Securing the e marketing site
Securing the e marketing siteSecuring the e marketing site
Securing the e marketing sitegaurav jain
 
facebook architecture for 600M users
facebook architecture for 600M usersfacebook architecture for 600M users
facebook architecture for 600M usersJongyoon Choi
 
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureBrian Ritchie
 
Microsoft Exchange Server & SSL Certificates: Everything you need to know
Microsoft Exchange Server & SSL Certificates: Everything you need to knowMicrosoft Exchange Server & SSL Certificates: Everything you need to know
Microsoft Exchange Server & SSL Certificates: Everything you need to knowCheapSSLsecurity
 
Understanding The World Of SSL Certificates.pdf
Understanding The World Of SSL Certificates.pdfUnderstanding The World Of SSL Certificates.pdf
Understanding The World Of SSL Certificates.pdfWebGuru Infosystems Pvt. Ltd.
 
Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of TrustYousof Alsatom
 
Authentication & Reputation, Adding Business Value In The Real World
Authentication & Reputation, Adding Business Value In The Real WorldAuthentication & Reputation, Adding Business Value In The Real World
Authentication & Reputation, Adding Business Value In The Real Worldjprice
 
Chapter 2 System Security.pptx
Chapter 2 System Security.pptxChapter 2 System Security.pptx
Chapter 2 System Security.pptxRushikeshChikane2
 
Lotusphere 2011 SHOW104
Lotusphere 2011 SHOW104Lotusphere 2011 SHOW104
Lotusphere 2011 SHOW104WorkFlowStudios
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Kimberley Dray
 
Identity, Security and XML Web Services
Identity, Security and XML Web ServicesIdentity, Security and XML Web Services
Identity, Security and XML Web ServicesJorgen Thelin
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ONOWASP EEE
 
Digital Certificates @ ResellerClub
Digital Certificates @ ResellerClubDigital Certificates @ ResellerClub
Digital Certificates @ ResellerClubResellerClub
 
Balancing Cloud-Based Email Benefits With Security
Balancing Cloud-Based Email Benefits With SecurityBalancing Cloud-Based Email Benefits With Security
Balancing Cloud-Based Email Benefits With SecuritySymantec
 
SSL f or WordPress Websites
SSL f or WordPress WebsitesSSL f or WordPress Websites
SSL f or WordPress WebsitesPaul Cook
 
Let's Encrypt + DANE
Let's Encrypt + DANELet's Encrypt + DANE
Let's Encrypt + DANEDeploy360 Programme (Internet Society)
 
Owasp Forum Web Services Security
Owasp Forum Web Services SecurityOwasp Forum Web Services Security
Owasp Forum Web Services SecurityMarco Morana
 
4 Major Reasons for Big Organizations to Have Wildcard SSL Certificates
4 Major Reasons for Big Organizations to Have Wildcard SSL Certificates4 Major Reasons for Big Organizations to Have Wildcard SSL Certificates
4 Major Reasons for Big Organizations to Have Wildcard SSL CertificatesCheapSSLsecurity
 
White paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLWhite paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLGlobalSign
 
ssl's guide
ssl's guidessl's guide
ssl's guideShakil Malik
 
Lecture17
Lecture17Lecture17
Lecture17Châu Thanh Chương
 
A Complete RapidSSL Guide on Securing Online Business with SSL Certificate
A Complete RapidSSL Guide on Securing Online Business with SSL CertificateA Complete RapidSSL Guide on Securing Online Business with SSL Certificate
A Complete RapidSSL Guide on Securing Online Business with SSL CertificateRapidSSLOnline.com
 
The Hidden Costs of Self-Signed SSL Certificates
The Hidden Costs of Self-Signed SSL CertificatesThe Hidden Costs of Self-Signed SSL Certificates
The Hidden Costs of Self-Signed SSL CertificatesCheapSSLsecurity
 
The Hidden Costs of SelfSigned SSL Certificates
The Hidden Costs of SelfSigned SSL Certificates The Hidden Costs of SelfSigned SSL Certificates
The Hidden Costs of SelfSigned SSL Certificates RapidSSLOnline.com
 
Can blockchain replace your password and make it more secure
Can blockchain replace your password and make it more secureCan blockchain replace your password and make it more secure
Can blockchain replace your password and make it more secureBlockchain Council
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 

More Related Content

Similar to The life and times of Hanz Ostmaster: Email verification issues in SSL certificates

Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of TrustYousof Alsatom
 
Authentication & Reputation, Adding Business Value In The Real World
Authentication & Reputation, Adding Business Value In The Real WorldAuthentication & Reputation, Adding Business Value In The Real World
Authentication & Reputation, Adding Business Value In The Real Worldjprice
 
Chapter 2 System Security.pptx
Chapter 2 System Security.pptxChapter 2 System Security.pptx
Chapter 2 System Security.pptxRushikeshChikane2
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Kimberley Dray
 
Identity, Security and XML Web Services
Identity, Security and XML Web ServicesIdentity, Security and XML Web Services
Identity, Security and XML Web ServicesJorgen Thelin
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ONOWASP EEE
 
Digital Certificates @ ResellerClub
Digital Certificates @ ResellerClubDigital Certificates @ ResellerClub
Digital Certificates @ ResellerClubResellerClub
 
Balancing Cloud-Based Email Benefits With Security
Balancing Cloud-Based Email Benefits With SecurityBalancing Cloud-Based Email Benefits With Security
Balancing Cloud-Based Email Benefits With SecuritySymantec
 
SSL f or WordPress Websites
SSL f or WordPress WebsitesSSL f or WordPress Websites
SSL f or WordPress WebsitesPaul Cook
 
Owasp Forum Web Services Security
Owasp Forum Web Services SecurityOwasp Forum Web Services Security
Owasp Forum Web Services SecurityMarco Morana
 
4 Major Reasons for Big Organizations to Have Wildcard SSL Certificates
4 Major Reasons for Big Organizations to Have Wildcard SSL Certificates4 Major Reasons for Big Organizations to Have Wildcard SSL Certificates
4 Major Reasons for Big Organizations to Have Wildcard SSL CertificatesCheapSSLsecurity
 
White paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLWhite paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLGlobalSign
 
A Complete RapidSSL Guide on Securing Online Business with SSL Certificate
A Complete RapidSSL Guide on Securing Online Business with SSL CertificateA Complete RapidSSL Guide on Securing Online Business with SSL Certificate
A Complete RapidSSL Guide on Securing Online Business with SSL CertificateRapidSSLOnline.com
 
The Hidden Costs of Self-Signed SSL Certificates
The Hidden Costs of Self-Signed SSL CertificatesThe Hidden Costs of Self-Signed SSL Certificates
The Hidden Costs of Self-Signed SSL CertificatesCheapSSLsecurity
 
The Hidden Costs of SelfSigned SSL Certificates
The Hidden Costs of SelfSigned SSL Certificates The Hidden Costs of SelfSigned SSL Certificates
The Hidden Costs of SelfSigned SSL Certificates RapidSSLOnline.com
 
Can blockchain replace your password and make it more secure
Can blockchain replace your password and make it more secureCan blockchain replace your password and make it more secure
Can blockchain replace your password and make it more secureBlockchain Council
 

Similar to The life and times of Hanz Ostmaster: Email verification issues in SSL certificates (20)

Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of Trust
 
Authentication & Reputation, Adding Business Value In The Real World
Authentication & Reputation, Adding Business Value In The Real WorldAuthentication & Reputation, Adding Business Value In The Real World
Authentication & Reputation, Adding Business Value In The Real World
 
Chapter 2 System Security.pptx
Chapter 2 System Security.pptxChapter 2 System Security.pptx
Chapter 2 System Security.pptx
 
Lotusphere 2011 SHOW104
Lotusphere 2011 SHOW104Lotusphere 2011 SHOW104
Lotusphere 2011 SHOW104
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019
 
Identity, Security and XML Web Services
Identity, Security and XML Web ServicesIdentity, Security and XML Web Services
Identity, Security and XML Web Services
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
 
Digital Certificates @ ResellerClub
Digital Certificates @ ResellerClubDigital Certificates @ ResellerClub
Digital Certificates @ ResellerClub
 
Balancing Cloud-Based Email Benefits With Security
Balancing Cloud-Based Email Benefits With SecurityBalancing Cloud-Based Email Benefits With Security
Balancing Cloud-Based Email Benefits With Security
 
SSL f or WordPress Websites
SSL f or WordPress WebsitesSSL f or WordPress Websites
SSL f or WordPress Websites
 
Let's Encrypt + DANE
Let's Encrypt + DANELet's Encrypt + DANE
Let's Encrypt + DANE
 
Owasp Forum Web Services Security
Owasp Forum Web Services SecurityOwasp Forum Web Services Security
Owasp Forum Web Services Security
 
4 Major Reasons for Big Organizations to Have Wildcard SSL Certificates
4 Major Reasons for Big Organizations to Have Wildcard SSL Certificates4 Major Reasons for Big Organizations to Have Wildcard SSL Certificates
4 Major Reasons for Big Organizations to Have Wildcard SSL Certificates
 
White paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLWhite paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSL
 
ssl's guide
ssl's guidessl's guide
ssl's guide
 
Lecture17
Lecture17Lecture17
Lecture17
 
A Complete RapidSSL Guide on Securing Online Business with SSL Certificate
A Complete RapidSSL Guide on Securing Online Business with SSL CertificateA Complete RapidSSL Guide on Securing Online Business with SSL Certificate
A Complete RapidSSL Guide on Securing Online Business with SSL Certificate
 
The Hidden Costs of Self-Signed SSL Certificates
The Hidden Costs of Self-Signed SSL CertificatesThe Hidden Costs of Self-Signed SSL Certificates
The Hidden Costs of Self-Signed SSL Certificates
 
The Hidden Costs of SelfSigned SSL Certificates
The Hidden Costs of SelfSigned SSL Certificates The Hidden Costs of SelfSigned SSL Certificates
The Hidden Costs of SelfSigned SSL Certificates
 
Can blockchain replace your password and make it more secure
Can blockchain replace your password and make it more secureCan blockchain replace your password and make it more secure
Can blockchain replace your password and make it more secure
 

Recently uploaded

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 

Recently uploaded (20)

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 

The life and times of Hanz Ostmaster: Email verification issues in SSL certificates

  • 1. The life and times of Hanz Ostmaster By Hanz Ostmaster
  • 2. Chaim Sanders  Trustwave  Security Researcher  Member of Spiderlabs Research  Web Server Security Team  Offer support, development, and consulting for ModSecurity  Supports the OWASP Core Rule Set  Work with Trustwave WAF  Rochester Institute of Technology  Professor (Cryptography and Web Security)  Prior  Security Consulting (Pentesting, Red-teaming, Code Review, etc)  Governmental Consulting Background
  • 3. Crypto and you  Generally speaking the area of research regarding secret writing and methods for attacking these secret writings has been of interest  Cryptography – Development of enciphered writings  Cryptanalysis – Attacking of enciphered writing schemes  Why do I care?  Since the mid 80’s we’ve seen cryptographic systems evolve from tools of military interest to common usage within our daily lives.  To counter this many (governmental) organizations that have come to rely on their ability to in some way compromise crypto.
  • 4. Asymmetric Crypto  There are many different areas of Cryptography
  • 5. Asymmetric Crypto and this talk  One of the biggest uses of asymmetric crypto into todays infrastructure is for securing communication between webservers  Why might this be of interest?  How do we ensure speed?  Asymmetric crypto has two very nice features  One is scale, as we previously discussed  The other is that they often have support for digital signatures  What is a digital signature.
  • 6. What is SSL  SSL stands for Secure Sockets Layer and it is a standard security technology for establishing an encrypted link between a server and a client  First SSL Certificate was created in 1994 by Netscape Communications  SSL Certificate issuers are called Certificate Authority or CA’s  SSL allows sensitive information such as credit card numbers and social security numbers to be transmitted securely  Required by the Payment Card Industry (PCI) to have an SSL Certificate  Main component of SSL Certificates are keys which are the Public and Private key
  • 7. Design Requirements of Asymmetric System  The main design requirement is that all parties trust this Certificate Authority  Additionally, the certificate authority must only issue certificates to legitimate hosts  The question becomes how does a CA like Symantec verify that individuals are responsible for legitimatize hosts.  This is the interest of todays talk.
  • 8. Host verification  There are a number of different methods that ICANN has specified for allowing CA’s to verify users:  HTTP Validation – Can be performed by uploading a special text/html file into the root directory of the domain name.  DNS-based validation - For this validation method you need to create a certain CNAME record in the DNS settings of your domain.  Email Validation – Users will be validated by an email that belongs to the domain
  • 9. Email based authentication  Until late 2015 the email addresses that were allowed to be specified by the CA. This might be an interesting problem  Cert Vulnerability note 591120 (March 27th 2015)  Multiple SSL certificate authorities use predefined email addresses as proof of domain ownership  16 certificate authorities were listed as affected (others unknown)  What is the problem  If an admin is not aware of sensitive email addresses and assigns them this can lead to a certificate being issued for their domain
  • 10. Problem Children  admin@yourdomain.com  administrator@yourdomain.com  webmaster@yourdomain.com  ssladmin@yourdomain.com  root@yourdomain.com  hostmaster@yourdomain.com  postmaster@yourdomain.com  ssladministrator@yourdomain.com  it@yourdomain.com
  • 11. The Fix  Most documents including the Mozilla CA Certificate Inclusion Policy and the CA/Browser baseline requirement documents the addresses that can be used should be limited to those specified in RFC2142  MAILBOX NAMES FOR COMMON SERVICES, ROLES AND FUNCTIONS  The only exception is also the domain listed in the WHOIS contact  This largely solved the underlying problem but every CA in existence needs to update their policies otherwise the issue isn’t fixed  This is mostly a problem where people can choose their own email registration names or they are given based on a known theme. Hence the title.
  • 13. An exercise best left to the reader  Now all you would have to do is find a CA that still allows registering that email address and poof mail.rit.edu SSL cert.
  • 15. What are these addresses  PostMaster@example.com  Reserved for SMTP  Hostmaster@example.com  Reserved for DNS  Webmaster@example.com  Reserved for Web
  • 16. The new problem  Not everyone realizes that these addresses must be registered when setting up a webserver that will use SSL  Or email that will use SSL, etc.  These email addresses are not well known. For instance hostmaster is no a widely recognized email address
  • 17. A New Twist on a New Problem  If these are registered then we are fine.  But is there a situation where we might still be able to access other peoples email?  Where individuals might forget about this concept?  Enter Bill Stackpole
  • 19. Breaking the bank  Mailinator is actually the only one I haven’t broken yet.  Well this isn’t strictly speaking true…  However often these are so simple where I can just search hostmaster@xyz.com
  • 20.
  • 21. Other issues  Often these are slightly more secure and require that I be clever.  However…  Often these systems will try and be intelligent about their email address understand, but not about security  For instance, spaces, dots, null characters, etc.
  • 22. Just a few off my hit list
  • 24. General Fixes  Don’t allow email verification  Communication among CAs would prevent this  It will also help security as a whole  Pinning certificates

Editor's Notes

  1. Additionally, I Lecture at RIT
  2. Others such as sysadmin, info, is, mis, sslwebmaster etc depending on host
  3. If using whois blocking this doesn’t work
  4. Who can tell me about hostmaster