map contacts back to home page
picture of tbs certificates
picture of tbs certificates


Focus
VeriSign Trust Seal
Norton Secured Seal
As a VeriSign major partner, TBS internet is the first company in Europe to offer the VeriSign trust logo, the most recognized worldwide. An SSL certificate is no longer required as the seal is available after an organisation audit and comes with a malware detection system. More details...



Why are domain-validated certificates dangerous?

A domain-validated or a low-authentication (1-factor) product is a server certificate delivered quickly and without real vetting. It does not guarantee the identity of the website's owner nor the actual existence of the organization!

This kind of certificate enables SSL encryption but makes it impossible for webusers to know the identity of their interlocutor (think about 2 men having a conversation inside an unlightened vault. Nobody can hear them so their conversation is secured but they can not see the person they are speaking with!)

Certification authorities that issue these certificates only check one thing: that the owner of the domain name, as displayed in the WHOIS , is the requester of the certificate. Mostly they send an email carrying a password to the email address found in the WHOIS and wait for a return via a web interface. They can also dial the phone number provided in the WHOIS to ask for a confirmation.

This procedure is easily hijacked. Firstly because the information provided by the WHOIS is purely declaratory and is never checked by the registrar. Then because registrars can modify the information as they please. Needless to say that anybody can reserve a domain name similar to an existing one and get a certificate for it.

It makes phishing attacks possible. Let's imagine your bank's website is https://www.creditbank.com/ and that the latter is secured with a domain-validated certificate. Its certificate will present the information: 
CN = www.creditbank.com
OU = Domain Validated
O = www.creditbank.com
A hacker wanting to attack this bank will reserve a similar domain name, such as www.credltbank.com, will provide false information in the WHOIS, such as a Yahoo! email address and a VoIP phone number. In a matter of minutes he will obtain a SSL certificate with the information: 
CN = www.credltbank.com
OU = Domain Validated
O = www.credltbank.com
Finally he will create a fake website hosted on a hijacked server and launch his phishing operation.

The common webuser will be totaly fooled, connecting to a website looking alike the genuine one and with a valid SSL certificate!

It sounds familiar, isn't it?

Then one advise: Do not use low-authentication certificates.

You can find strong-authentication certificates at affordable prices. From £55 see our TBS X509 certificates.

How to spot a domain-validated certificate

Just display the server certificate. To do so, double click the golden padlock.

You'll see: 'Delivered to' or 'Organization' but there will be no organization name, just a domain name!

In the 'Details' tab click 'object' or 'Subject'. You'll see an 'OU' field indicating 'Domain Validated' or some similar content.

Note as well that the city does not appear nor the owner address!

It means that it does not exist any information about the certificate owner.

Would you buy to a seller whom visit card won't hold any organization name nor city?

Below are some links to security incidents due to domain validated certificates: And we keep seeing damages caused by domain-validated certificates. For example some registrar (domain name providers) do not respect their obligation to check the information published in the WHOIS. Hackers can then reserve domain names anonymously! Actually only a few registrar check the ID information declared in WHOIS. Then how could a SSL certificate be issued on the basis of these ID elements?

See http://www.blog.referencement-1ere-page.com/index.php/2008/09/02/71-icann-a-exige-la-fermeture-du-pire-registrar-chinois

Here, it is a MD5 vulnerability that proves the dangerousness of 1-factor certificates:
https://blogs.verisign.com/ssl-blog/2008/12/on_md5_vulnerabilities_and_mit.php

A 2008 Netcraft survey showed that 95% of the certificates using MD5 were 1-factor certificates (mostly FreeSSL, RapidSSL and Thawte 123 certificates). Case Made !
Anonymous [ settings | log in ]
Last edited on 12/08/2011 15:15:12 --- [search]