Beware of StartEncrypt!
A new kid off the block in packing SSL called StartEncrypt has found to be vulnerable to exploitation. Similar to the popular Let’s Encrypt SSL certificates that now commonly deployed on websites challenging established players such as Comodo which charge a premium, StartEncrypt also trying to get a foothold into the FREE SSL space.
According to Computest, a security research group based out of the Netherlands had this to say about the new service, “Recently, one of our hackers found a critical vulnerability in StartCom’s new StartEncrypt tool, that allows an attacker to gain valid SSL certificates for domains he does not control.”
Now they went further by stating, “While there are some restrictions on what domains the attack could be applied to, domains where the attack will work include Google.com, Facebook.com, Live.com, Dropbox.com and others.”
That is certainly a thing to be worried about for sure. To know the background on StartCom, this is a well known enterprise that is created a reputation for itself marketing StartSSL. However, recently the company launched the StartEncrypt tool that enables easy and free installation of SSL certificates on servers. This is certainly a very commendable approach from StartCom in making sure every website is protected. And that too at zero cost.
The problem automated issuance of SSL certificates the domain control validation procedure from the CA is simplified through email to an email belonging to the domain or requesting the user to upload a file thus doing away with all the paperwork and manual checking required for Extended Validation certificates.
Computest however claims, “The StartEncrypt tool did not receive proper attention from security-minded people in the design and implementation phases.” Which means a malicious client can use the StartEncrypt tool to download the CA certificates without proper validation.