Thijs Alkemade, a security researcher for Dutch security firm CompuTest, has discovered multiple design and implementation flaws in StartEncrypt, a tool created by Israeli company StartCom for issuing free SSL certificates.
StartCom, the CA (Certificate Authority) behind the StartSSL service,the on June 4, inspired by the success of the Let’s Encrypt project.
Users that want to deploy free StartSSL certificates can take advantage of their StartEncrypt offering. They only need to download a Linux client which they’re supposed to upload to their servers.
This client performs a domain validation process, informs the StartSSL service, which then issues and installs an “Extended Validation” SSL certificate for the domain it found running on the server it just checked.
StartEncrypt contains design and implementation flaws
, this validation process is flawed, and through a few tricks allows server owners to receive SSL certificates issue for other domains, such as Facebook, Google, Dropbox, and others, which can be sold on the black market or used in man-in-the-middle attacks.
The first issue Alkemade discovered in the StartEncrypt client was a design-related problem because users could manually configure the folder from where the client would download a signature from the server.
An attacker would only have to point the tool at a folder on his server holding the signature of another domain. These domain signatures can be extracted from any sites that allow users to upload files: GitHub, Dropbox, etc..
StartEncrypt bug combined with OAuth 2.0 protocol condition
The second issue is far more serious because it allowed an attacker to obtain SSL certificates for even more domains than the ones before.
According to the researcher, one of the API verification calls contains a parameter called “verifyRes” which takes a URL as input. This means the client was vulnerable to Open Redirect vulnerabilities, meaning that an attacker could forge this request and point the tool off-domain to a server not under his control.
But this feature is not that easily exploitable. The domain URL to which the attacker needs to point the tool must (1) allow users to upload files and serve them back in raw format; or (2) to contain an Open Redirect issue of its own.
While the first condition was quite rare, the second was not. All websites that support OAuth 2.0, a specification that powers social login features, must allow open redirects for the protocol to function properly.
A crook leveraging this OAuth 2.0 condition and the StartEncrypt client could fool the StartSSL service to issue a free SSL service in his name for any site that provides OAuth 2.0 support, such as Facebook, Twitter, Yahoo, Microsoft, and so on.
Multiple other issues discovered as well
Additionally, CompuTest also discovered that StartEncrypt doesn’t check its own server’s certificate for validity when connecting to the API, meaning crooks could receive verification requests and issue false SSL certificates for users trying to use StartEncrypt.
The API also doesn’t verify the content-type of the file it downloads for verification so attackers can obtain certificates in the name of third-party websites where users can upload their avatars, and the certificate private key, which must be private, is stored with 0666 permissions in a public folder so everyone could read it.
Furthermore, just like Let’s Encrypt, StartEncrypt is vulnerable to a Duplicate-Signature Key Selection attack.
“In our opinion, StartCom made a mistake by publishing StartEncrypt the way it is,” CompuTest’s Christiaan Ottow explains. “Although they appreciated the issues for the impact they had and were swift in their response, it is apparent that too little attention was paid to security both in design (allowing the user to specify the path) and implementation (for instance in following redirects, static linking against a vulnerable library, and so on). Furthermore, they didn’t learn from the issues LetsEncrypt faced when in beta.“
StartCom has released a new version of the StartEncrypt Linux client, with the same version number 22.214.171.124. CompuTest says they reported other issues to the service, which are still being corrected and will be fixed in future updates.
, StartSSL faced a similar issue with its general service which also allowed crooks to receive SSL certificates for domains they don’t own.