[cabfpub] Obtaining an EV cert for phishing

James Burton james at sirburton.com
Mon Nov 27 21:26:19 UTC 2017


Hi Jeremy,

The company "Identity Verified" was incorporated using a legitimate
address. The company could have been incorporated using a service address
bought online to assert its legitimacy as a real company for the
application of the EV SSL and in turn would have same outcome. The company
name in question should've started the alarm bells ringing long before the
vetting process in my opinion as its really implausible.company name as its
way too common. If it was me doing the vetting I would've been
very sceptical of this company name and never issued the EV SSL certificate
in the first place.

The requirements specified in the EV guidelines for phone number
verification are way too relaxed in my opinion as it shouldn't be possible
to get a EV SSL without a proper landline telephone number. The phone
number specified on this application was my mobile number and as you can
pick up these sim cards for nothing from mobile providers its too easy to
bypass these requirements.

The idea of vetting each client face to face by video stream is the way
forward in vetting the company individuals for EV SSL certificates.

Thank you,

Regards,

James

On Mon, Nov 27, 2017 at 7:52 PM, Jeremy Rowley via Public <
public at cabforum.org> wrote:

> Hi Gerv,
>
> I have information about this now. Sorry for the delay.
>
> Basically, Symantec verified the organization using the UK companies
> house, which qualifies as a QGIS. Because it's a QGIS, the data source can
> be used to validate most of the requirements under the EV Guidelines,
> including address and legal existence.  The phone number was verified using
> QIIS and a call to the number, answered, of course, by the applicant. The
> result is James ended up forming a real company with fake address
> information. The failure was in the government process for vetting any kind
> of information before forming the company, which is a problem.  Speaking to
> other government entities, this is common and they usually catch these fake
> businesses on renewal (the business never receives the renewal notification
> because of the fake address/phone).  Note that the issuance itself was fine
> - the entity really existed and was located at the address specified for
> all governmental intents and purposes.  Increasing the number of data
> sources wouldn't have prevented issuance as many sources pull their info
> directly from the government resources. What do you do when the government
> fails?
>
> To answer your specific questions:
>
> 11.4: Verification of Applicant’s Physical Existence. How was that done in
> this case, and what was the address which was verified?
> - The address provided was verified with the UK Companies House.
>
> 11.6: Verification of Applicant’s Operational Existence. How was that done
> in this case? Which clause of 11.6.2 was used? What were the results?
> - Operational existence was verified under (2) using a QIIS.  The QIIS
> specified the company existed at the address specified in the UK companies
> house.
>
> One way I can think of to lock down issuance would be requiring a face to
> face validation (through video software) with each applicant if the company
> was formed within three years (operational existence).  The applicant would
> still get the cert if they were verified, but there would be a video record
> of the identity of the application, making law enforcement easier. Of
> course, the applicant could still use a fake ID, but obtaining the cert
> would be more risky because of the video recording. Plus, if the verifier
> determined the ID as fake, the applicant would be blacklisted from getting
> additional cert and potentially reported to authorities.  Another idea are
> to require phishing checks (such as through Google's API) daily/weekly to
> determine if the website is a phishing website.  We  are still trying to
> get D&B to engage in a conversation about self-reported data, but with
> little success.
>
> Jeremy
>
>
> -----Original Message-----
> From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Gervase
> Markham via Public
> Sent: Thursday, September 14, 2017 7:08 AM
> To: CABFPub <public at cabforum.org>
> Subject: [cabfpub] Obtaining an EV cert for phishing
>
> As noted in the Paypal/Let's Encrypt meeting yesterday, James Burton has
> published a blog post claiming that it's not difficult to get a fraudulent
> EV certificate:
> https://0.me.uk/ev-phishing/
>
> Now, they didn't actually get a fraudulent one, and it did take them a few
> days and a reasonable amount of manual work, but if we accept for the sake
> of argument their claim that valid stolen personal ID can be obtained
> online easily, it does seem that the other steps are not too onerous.
>
> As someone noted at the meeting, fraudsters often don't pay for things
> with their own money. To my mind, the "cost" of EV is in the requirement to
> either reveal your true identity, or to spend prohibitive time on a
> successful effort to fool the checks.
>
> I hope we can use this as a learning experience. Because a certificate was
> not misissued, there is no obligation on them to do so, but I hope that in
> the cause of making EV better, Symantec would be willing to discuss their
> EV verification steps and what happened in this case, so we can look and
> see if the EV process needs improving.
>
> Some areas I'd particularly like to consider:
>
> 11.4: Verification of Applicant’s Physical Existence. How was that done in
> this case, and what was the address which was verified?
>
> 11.6: Verification of Applicant’s Operational Existence. How was that done
> in this case? Which clause of 11.6.2 was used? What were the results?
>
> Gerv
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171127/9469275c/attachment-0003.html>


More information about the Public mailing list