A new kid off the block in packing SSL called StartEncrypt has found to be vulnerable to exploitation. Similar to the popular Let’s Encrypt SSL certificates that now commonly deployed on websites challenging established players such as Comodo which charge a premium, StartEncrypt also trying to get a foothold into the FREE SSL space.

According to Computest, a security research group based out of the Netherlands had this to say about the new service, “Recently, one of our hackers found a critical vulnerability in StartCom’s new StartEncrypt tool, that allows an attacker to gain valid SSL certificates for domains he does not control.”

Now they went further by stating, “While there are some restrictions on what domains the attack could be applied to, domains where the attack will work include Google.com, Facebook.com, Live.com, Dropbox.com and others.”

That is certainly a thing to be worried about for sure. To know the background on StartCom, this is a well known enterprise that is created a reputation for itself marketing StartSSL. However, recently the company launched the StartEncrypt tool that enables easy and free installation of SSL certificates on servers.  This is  certainly a very commendable approach from StartCom in making sure every website is protected. And that too at zero cost.

The problem automated issuance of SSL certificates the domain control validation procedure from the CA is simplified through email to an email belonging to the domain or requesting the user to upload a file thus doing away with  all the paperwork and manual checking required for Extended Validation certificates.

Computest however claims, “The StartEncrypt tool did not receive proper attention from security-minded people in the design and implementation phases.” Which means a malicious client can use the StartEncrypt tool to download the CA certificates without proper validation.

Source: wikipedia

About The Author

"Founded in July, 2016, WhackHack.com is a cyber security blog that covers important security issues affecting common users, industry and governments. It aims to create awareness among its readers about malware, hacking, encryption, identity theft, privacy, etc and also offer solutions to protect themselves from such attacks"

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

fifteen − 14 =