Skip Links

Promiscuous SSL certificate signing undermines security: EFF

Analysis by Electronic Frontier Foundation highlights widespread problem

By Paul McNamara on Thu, 04/07/11 - 12:18pm.

Internet certificate authorities are creating security risks for everyone by signing off on unqualified domain names - thousands of them - according to Chris Palmer, technology director of the Electronic Frontier Foundation.  

In a pair of blog posts, Palmer details these slipshod practices and explains why they can facilitate man-in-the-middle attacks.

From the first post:

Using data in EFF's SSL Observatory, we have been able to quantify the extent to which CAs engage in the insecure practice of signing certificates for unqualified names. That they do so in large numbers indicates that they do not even minimally validate the certificates they sign. This significantly undermines CAs' claim to be trustworthy authorities for internet names. It also puts Internet users at increased risk of network attack.

In the second post, Palmer continues:

In addition to unqualified names being meaningless - or, worse than meaningless - there are also meaningless fully-qualified names. And, yes, CAs will sign those names too.

The worst offender among the CAs? GoDaddy.

Go figure.