The well-known certificate authority StartSSL, also known as StartCom, has come up with a security vulnerability issue in its domain validation process. The flaw in its service could be easily misused by attackers to issue free SSL certificates for almost any domain they do not own!
Thijs Alkemade, a security researcher at Dutch security firm CompuTest, detected several flaws with the design and implementation in StartEncrypt. StartEncrypt is a tool developed by Israeli company StartCom for issuing free SSL certificates.
StartCom is the sixth largest certificate authority (CA) in the world. The company offers trusted identity and authentication services across the globe and issues free SSL certificates for site owners as well. These free SSL certificates are meant to be domain or email validated. But the flaw let a researcher to validate a domain he did not own.
The company launched the StartEncrypt project on June 4, motivated by the success of the Let’s Encrypt project. Users who wish to deploy free StartSSL certificates can benefit from StartEncrypt service.
All you need to do is just download a Linux client and then upload it to your servers.
The Linux client then carries out a domain validation process. It informs the StartSSL service, which finally issues and the installs an Extended Validation SSL certificate for the domain it detected running on the serves it just checked.
The detected flaws in StartSSL’s service
Domain and implementation flaws in StartEncrypt
As per the CompuTest reports, the validation process has flaws, which through some tricks, allow server owners to receive SSL certificate issued for other domains, like Google, Facebook, Dropbox, and more. Such certificates can then be sold or smuggled illegally or used in man-in-the-middle attacks.
Alkemade detected the first issue to be a design-based flaw. Given the flaw, users could manually configure the folder from where the client should download automatically a signature from the server.
Knowing it, an attacker would only need to point the tool at a folder on his server with the signature of another domain.
Such domain signatures can be easily extracted from websites that allow its users to upload files, like Dropbox, GitHub, and others.
StartEncrypt bug and OAuth 2.0 protocol condition combined
Another issue is likely more serious as it allowed an attacker to get SSL certificates for more domains than the first one. According to Alkemade, one of the API verification calls includes a parameter named verifyRes, which accepts a URL as input. It implies that the client became vulnerable to Open Redirect vulnerabilities. This eventually means attackers could redirect this request and point the tool off-domain towards a server, not under their control.
Yet note that the feature is not so easy to exploit. The domain URL that attackers need to point the tool must:
- Let users upload files and offer them the same in raw format
- Or include an Open Redirect issue of its own
While the first case is not so common, the second one is. All sites supporting OAuth 2.0, a specification that allows social login features, should allow open redirects for protocol to act properly. An attacker leveraging OAuth 2.0 condition and StartEncrypt client could easily skin the StartSSL service to issue a free SSL service in his name. It can be done for any site that offers OAuth 2.0 support, including Twitter, Facebook, Microsoft, Yahoo, and more.
Several other StartEncrypt issues
Apart from the two main issues, CompuTest also found a flaw in StartEncrypt check process.
The tool doesn’t check its own server’s certificate for validation process while connecting to the API.
It means that attackers could get verification requests and issue false SSL certificates for trying to access StartEncrypt.
The API also couldn’t authenticate the content-type of the file it downloads for verification. In such case, crooks could receive certificates in the name of any third-party website where users can upload their avatars. Even the certificate private key, which should be kept private, is kept with 0666 permissions in an open folder, so anyone can read it.
Just like Let’s Encrypt, StartEncrypt is also vulnerable to a Duplicate-Signature Key Selection attack.
“In our opinion, StartCom made a mistake by publishing StartEncrypt the way it is,” Christiaan Ottow from CompuTest explains.
He added by saying,
“Although they appreciated the issues for the impact they had and were swift in their response, it is apparent that too little attention was paid to security both in design (allowing the user to specify the path) and implementation (for instance in following redirects, static linking against a vulnerable library, and so on). Furthermore, they didn’t learn from the issues LetsEncrypt faced when in beta.”
StartCom released another version of the StartEncrypt Linux client. It holds the same version number 188.8.131.52.
CompuTest reported multiple other issues with the service and the team is working on fixing them in the future updates.
In March 2016, StartSSL underwent a similar security issue with its public service, allowing attackers to get SSL certificates for domain they do not own.
Read more latest news at: Apple to trademark Night Shift for use on Mac, Watch, TV and CarPlay