0

microsoft.com for example can use a Verisign Certificate for their domain. What are the chances that an attacker could ask verisign for a m1crosoft.com domain and get approved? It is very simillar, but still can be used by attackers to run a "secured phishing website".

Do trusted CA's do some research on a client that asks for a new certificate to be issued? Is there a standard or an application model? Do i need to assume and not trust secure websites in reality if not?

scuzzy-delta
  • 9,303
  • 3
  • 33
  • 54
user43842
  • 13
  • 2
  • You may also be interested in @Adnan's answer to [this](http://security.stackexchange.com/q/53408/1811) similar question, which also involves tricking a Certificate Authority :) – scuzzy-delta Apr 09 '14 at 13:02

1 Answers1

1

Basically, any CA does exactly what it wishes to do. However, OS and browser vendors won't accept just any CA as a "trusted root". E.g. Microsoft runs a root certificate program which defines the contractual conditions that a CA must fulfil in order to get its root CA public key included in the "trusted store" of all Windows systems. These conditions include a lot of legal details, financial agreements (notably insurances), and also that the CA respects clearly documented procedures for everything it does. In practice, the CA will have to do some research to verify domain ownership and weed out obvious phishing attempts before granting a certificate.

The CA/Browser forum is an organization which tries to establish baseline requirements for such jobs. See also WebTrust, which aims at being a faithful incarnation of the principles set out by the CA/Browser forum.

Extended Validation certificates are certificates which have been issued by CA who follow strict requirements (including anti-phishing procedures), along the lines defined by these organizations. Browsers who comply to the CA/Browser forum guidelines are supposed to display EV certificates with a specific visual indication, and not to use that indication for non-EV certificates -- in effect, EV certificates are a method to define a whitelist of "good CA" within the jungle of existing CA.

(It has been noticed that though Microsoft and Firefox and Chrome have strict rules about inclusion of commercial CA, they can hardly politically afford to reject a "government CA" from any big enough government, although these CA are not necessarily well maintained and documented. "EV" is an answer to that sad state of things: browsers will include such dubious CA but won't tag them as "EV".)

Tom Leek
  • 170,038
  • 29
  • 342
  • 480