British security researcher Scott Helme has cast further doubt over the rigorousness of the approval process for Extended Validation (EV) digital certificates.
EV certificates for HTTPS websites are marketed as a means to provide evidence that a particular company or organization does indeed own the site.
These proof-of-ownership certificates, issued by certificate authorities (CAs), are priced at a higher premium than regular “domain-validated” digital certificates.
Helme began digging deeper into the topic after he was tipped off that an EV cert with jurisdiction given in Sweden was issued to a Danish company.
The certificate, apparently issued in error, has since been revoked, but the incident prompted Helme to start trawling through Certificate Transparency logs.
Not applicable or applied
UK companies are registered with Companies House – a government agency that assigns each business with a unique company number that falls within a fixed format.
Helme ran a script that scoured transparency logs for any UK entity that had an EV certificate but whose company number didn’t conform to this format.
The EV specification requires CAs to ask for a ‘Subject Registration Number’. In the case of UK firms, this corresponds to their Companies House-issued number.
Helme found that many EV certs issued to UK firm had “N/A” [not applicable] in this field – an invalid entry that means the EV certs themselves are incomplete and therefore need to be revoked.
“The whole point of an EV certificate is to bind the certificate to a legally registered company, so how we ended up with the company number being ‘Not Applicable’ is a bit of a mystery,” Helme writes in a blog post.
“Of course, this is wrong so when I notified the CA, they had to revoke them and issue their customer a new certificate with the correct information present inside it.”
A smaller number of certs seem to have the company phone number instead of the company number in the Subject Registration Number field. “Close, but not close enough,” Helme notes.
No value found
In yet more cases, the required Subject Registration Number field was absent altogether. Many of these certs had been revoked.
Helme struck gold when he searched in transparency logs for EV certs where there was an “empty string or no value” in the required Subject Registration Number field.
This query returned a bumper list containing 3,887 certificates.
After going through a sample of entries, Helme found the majority he looked at were “already revoked and we can assume replaced by new certificates with the appropriate values set”.
In all, the researcher was able to find over 4,000 EV certificates that needed to be revoked, corrected and re-issued by the CA in question.
“Assuming an average cost of $250 per certificate, that's $1,000,000 worth of EV certificates that needed revoking,” Helme writes, adding that these figures only cover confirmed problems.
Helme is still talking to the relevant CAs about other batches of apparently problematic EV certificates.
EV phone home
The issue with the validity of EV certs extends beyond the UK. For example, other researchers have found EV certificates issued to US companies in states that don’t exist.
In response to Helme’s post, a researcher flagged up a further apparent (and as yet unconfirmed) problem in Scandinavia, related to a Norwegian digital ID provider.
“It’s really concerning that the whole point of an EV certificate is to contain reliable information, yet with a little work I was able to find huge amounts of problems,” Helme concludes.
“According to Censys there are ~845,000 currently issued and unexpired EV certificates, meaning that just the ones mentioned in this blog post are ~0.5% of all EV certificates and they are invalid.”
Problems with the validation of data within EV certificates – such as default fields like ‘SomeState’ and ‘SomeCity’ left in certs by accident – have been acknowledged by the industry.
Helme said the issues he had uncovered were more systemic than that, and went beyond issues with typos in EV certs that he also spotted along the way.
Helme credited the CAs he’s worked with for responding quickly and appropriately when presented with issues.
“I'm not here looking for issues with CAs just to cause problems, I believe that with the power that a CA is granted they should be expected to strictly adhere to the rules and quickly rectify problems when they are identified,” he explained.
The Daily Swig invited a selection of CAs to comment on Helme’s findings. We’ll update this story as and when we hear back from them.
Depreciated but not disavowed
Developers behind Google Chrome and Mozilla Firefox are both planning to move the EV certificate indicator away from the URL or address bar to the ‘Page Info’, arguably deprecating the status of the indicator.
EV cert provider Entrust Datacard this week published a blog post arguing that despite this move, EV certs retain their worth by arguing that identity provides the foundation for security.
The company also noted that EV is used by major anti-phishing services to determine ‘safe’ websites.
“Brands with EV will still be treated as more trustworthy by browser filters,” writes Diana Gruhn, a senior product marketing manager at Entrust Datacard.
RELATED Mozilla joins Google in making Extended Validation a browser footnote