Sorry for asking a potentially dumb question : but is it possible for me to set up a domain name thecitibank.com and ask letsencrypt to issue me a certificate ? I can then create a login page to steal IPINs. Isn't that why we have humans in the loop for issuing certificates ?
This comment is the exact perception about HTTPS that we need to change. It's not the job of HTTPS to say whether a website is safe or unsafe, good or bad. HTTPS should be the default communication protocol for every website, and lets encrypt move us a major step towards that by making SSL certificates free and trivial to set up.
"This comment is the exact perception about HTTPS that we need to change. It's not the job of HTTPS to say whether a website is safe or unsafe."
Too late. The web industry has spent about 20 years training regular people to look for that green lock sign in the address bar and feel all warm and fuzzy about how safe the site is. You can post on hacker news all you want about what perceptions need to be changed. It's not going to change the ground reality. SSL, as practiced in the industry today with all it's historical baggage is fundamentally broken. There's no fixing it.
Actually what's really broken is the way we've approached implementations. Recently I was trying to get a self-signed certificate for myself trusted by Python urllib3...I still don't know how to do it. It uses a completely separate trust-store. As does half a dozen other things on my system.
Java is literally the worst as well. The Java truststore doesn't even have all the certs that every major browser supports. I'm looking at you StartSSL.
Green lock = EV cert. People are trained to look for the green, not for the lock - few people other than techies even look for a grey lock. EV certs generally have much more stringent requirements than "hey, give me a cert!".
I'm pretty sure "People are trained to look for the green, not for the lock" is newer and not nearly as widely known advice as "look for the lock". And it's pretty obvious just looking around non-tech-related sites that even the "look for the lock" advice isn't all that well received - so many sites use images of padlocks on the page to imply "banking grade security!!!", surely not _all_ of them are incompetent - I have a strong suspicion that at least some of those people are doing it as part of high statistical significance validated A?B tested funnel optimisations...
A valid certificate only allows you to have a secure connection without errors and warnings popping up all over. It does nothing to guarantee that the domain is "legit". You can already set up thecitibank.com and get an SSL certificate for it without any problem. What you can't do is get the EV (green bar) certificate where indeed you need to go through a human. But I'm pretty sure Let's Encrypt won't be giving away EV certificates.
On a slight side note he may not necessarily need to control the domain entirely, just have access to a privileged email address [1]
However, now it seems you won't even need access to an email address. What would stop someone creating a cert for the real citibank.com and using it for a MITM attack? How many people actually check the green bar?
In the live.fi example, it sounds like Microsoft may have failed to prevent a random user from registering administrator@live.fi as a personal account. Citibank probably won't allow a customer to get that e-mail address!
Yeah - there's many ssl vendors who've automated everything - so long as you can read email sent to webmaster@whatever-damned-phishing-domain-you-like.com, they'll sign a csr for that domain's ssl cert.
You can also do the same at every existing CA that provides domain verified certificates. From personal experience neither StartSSL nor Comodo have a human in the look – until you want more than domain verification (e.g., "green bar" EV certificates).
StartSSL at least have a human in the loop for your initial identity validation. They got in touch with me because I'd put a work address in instead of my home address, and they worked it out and sent me a very human-like email asking me to correct it.
I got also an email from a guy because my domain name had been registered that same day, telling me to wait, sure you can automate the check, but at least the email didn't look automated.
We don't have humans in the loop for issuing certificate; this can and has been exploited for fun and profit, with fun attacks like getting a cert for "citibank.com\0.mydomain.com" which used to trick the C strcmp in most browser certificate checking routines. Moxie has an entertaining talk: https://www.youtube.com/watch?v=MFol6IMbZ7Y
Your problem would be getting people to "thecitibank.com." Chrome, Firefox, and GMail would all eventually figure out it was a phishing site and warn users about clicking through to it.
As has been said, existing domain-validated (i.e. basic) certificates are automated anyway.
The type of certificate that banks etc use are EV - Extended Validation. This means the organisation details are verified as well, and as such the browser displays the verified organisation name in green in some cases, instead of any host/url at all).
Actually it's automated in most places, simply requiring you to confirm a request via an e-mail address associated with the domain you're getting an SSL for (typically admin@ hostmaster@ webmaster@, though it varies between certificate providers).
Most of the reputable CAs have some practices in place to check for keywords related to big brands and auto-reject certificate requests. (So you can't get a certificate for "login-facebook.com" or whatnot, for instance.)
"(So you can't get a certificate for "login-facebook.com" or whatnot, for instance.)"
You mean not from one of those "reputable" CAs. But really, why would I go to a "reputable" CA for my deceptive certificate if my intent is not so reputable?
Er, from personal experience I can say that at least some well-known CAs absolutely do review keywords appearing in SSL certificate requests. For a (really stupid and disappointing) example, see:
