|
|
|
The Risks In Wildcard Certificates
By: Larry Seltzer
2008-10-11
Article Rating:  / 7
There are 0 user comments on this Network Security & Hardware story.
They may not be real-world problems, but wildcard certificates have some definite theoretical problems. But they can be so much cheaper that users will buy them anyway.The imperative to use SSL, for web authentication and encryption or VPNs, is reasonably universal. Competition has driven prices of certificates down over the years to the point where you can get conventional SSL certificates from reputable vendors for well under $100 per year.
Another product gaining popularity due to competition is the wildcard certificate. A conventional certificate works on a single domain, e.g. www.foo.com. A wildcard certificate protects all subdomains of a domain subject to the use of wildcard characters in the name. So a wildcard certificate for *.foo.com protects www.foo.com, bar.foo.com, mail.foo.com, chasephish.foo.com, and so on.
I have received many notes from vendors about them, both as press and as a prospective customer. Most CAs (certificate authorities) clearly see them as a way to grow markets. If you've got a lot of domains you can save a lot of money with a wildcard certificate relative to buying individual certificates for them, but not from all vendors. VeriSign, the 800 lb. gorilla in the CA room, prices wildcard certs by the domain being protected, so that they don't save much, if any money outright.
There is still a potential to save in convenience of administration with a wildcard certificate. But there are real downsides to wildcard certificates. When things go wrong the convenience may evaporate quickly. The VeriSign site lists their take on the disadvantages of wildcard certs:
- Security: If one server or sub-domain is compromised, all sub-domains may be compromised.
- Management: If the wildcard certificate needs to be revoked, all sub-domains will need a new certificate.
- Compatibility: Wildcard certificates may not work seamlessly with older server-client configurations.
- Protection: VeriSign Wildcard SSL Certificates are not protected by NetSure extended warranty.
I hope it doesn't need to be said that VeriSign, as the dominant market player, has an interest in prices remaining high, so take their advice on wildcards in that light. The last point is VeriSign saying that wildcards get a lesser level of service from them, so that's not a problem inherent in the technology, but the other 3 points are reasonable generally.
It's true that a compromised wildcard certificate is a bigger problem than a certificate for a single domain. It's probably also a bigger target. How big a problem is this? Using the same certificate means that every host in the domain is using the same key pairs. This means that if the keys are compromised for one host, the entire domain is compromised. At the same time, the larger number of systems relying on those key pairs multiplies the number of potential weaknesses through which a compromise may be found. Fundamentally, this makes wildcard certificates a weaker, less trustworthy solution than individual certificates.
What VeriSign says about management is also true, but whether it's a real burden to replace a wildcard certificate depends on the management system you're using. It may be some work, it may not be. It's also true that if you need to revoke a certificate your CA needs to move fast and when you need them. I'm not sure all CAs, even reputable ones, perform the same in this regard.
As for the compatibility issue, it seems there was something there, but as VeriSign says, it's a problem with older software. This page details some compatibility problems with older client software and wildcard certificates. You don't see a lot of current versions in there.
I suspect there isn't a lot of real world data on whether wildcard certificates are more of a security and management problem than per-domain certificates. It may not amount to much. I think there's probably something there in the aggregate.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack
|
|
�������x}v۸~�zn˾m"i+RlˉnۖĝޝHHb"yIʶ/1K3n��~[N9I�(�BP("{I"�f\:Ԣ$;qOuޛ�Ijz:�`�Qe�3�ѩe��#|,sd3:�e����z=�F"kYÃ��[��j �(K�xmNFzV6'ڈ2z96�\�3�e��G
}>D@��=E��J��$>DR|>OTe�5�0>t@OTY�N�8�qy#f/Da_XI1**M"p8$J�>vT��γܲn?5oeںʷ@F3c2q�MTM,r,U)m c
��@2xZ`:v-2谞�˲f�g
3n]Φ[w5U)j>_+T|f�E���r�m8�eG�2͝^ok"_VT5?^]gH� �K��-%;ijA=lt�|h]\�[�r m
+tm%&�� J�DTRB6I��A�>r�jw{� %RMWJzQߨ+QAͫ5Gr$0L"�@K�2zĢ(#$vw&?ZZWM"黓v��lM,!�RQU2�Z,^,HN}uֹ
9k}hH
�Gd@
��W2 -Nk_{}s'^ěljE�[C9�Cm0Mߑґd 1|9}nq�ߟ\OIF©,/z��پBdu!$�r7{7#RxDɜ���V5��o��fo �E@k,�tjg�t8f%Pxݬ1���R
4%y_Ϝ�5��Hr�
VϠ��ȟ$W�i�8�@rX1f*6�K .F}5_<���duB* b�j9nQWȨknSAߥ|>I���Fxg�>6 @�
T�N`� 8�+����Gs|Lnž�*�P߭g#PC
u�|h�*6��l�d�(4)s�yp;LM ρ�.i-�H��͋�0������C����2+?k6�f�(9N@tmSH�|` � �Qi^3-m`Z1 �5:%ѥ6tq�0x�zD�У�H&BD(jH�B
!A�lq���[$p�hd�d+��3~CQzGBJԂK%6Os@�G҅3rJX*�τbJ��Z
z)|I(l��e&z�/[LdoD��["0�9X����
4gj
h�+%ּ
fQ
O5&CS7a 3�z {[�gޓi� K02�9@?e!1q SQ��s��y����P�n;At�랒���\�f3�35=�S1/ƃ5{j<̉iÂqlc��_a"��eBC`:N{c�jkȑ�L�%~Gn:m0s>�k2
'�yvw�=&.�У\8$/4<2?pGҶLoj�@>J|�z[.Zqα�r�B&��5b�$�ӠCY3�b-y6yBNV[�2KsFM&W/31r@PW9e�XScXNϠD��Lz?v&�u/$1L`�V��/Դ
E�$$BYv`m.,�y�GgK�ċdt-
�%uGwlla}50_\킢�KQ"鏡LXZ�sXJF}�`'|pc�It�PFʰe�8ZzqF�$KDϗ�4 V0̈́�O5O�#_c��Ҁ!a�k"�_xHE�y�[+pp �B��E.X�t>� r��+b$[� U4l)
zujIMx�-h! /7�ˇI%$m�4X2H�]O=4vnj}3ʋ�2�i��o�YZ�
J
o36Բ*RTp~"0yOo熼�M]C�p�/qf}r}sMiԛF>k냪̦;PC�3.S˰1#�*#�17�� i��x/WFHi1 �.W(*H3�sazT�j�fNᗜWv�mS
��"8&g3ק>jV�r8@z��5�d٤S(H5qR�Y� �w7j^U�[�K;3]V��� OP�:$z���� hBOUҜ���;@+w+jZS�~I�1�H��%�kS'SGŵR�����n׃!Sg��b/ JrT-(ښ<#h�C�b�RX��hV�p�*��ӝ
g;pL�g+ �Ԕ
+즬h�+s�JbO�WB3EL7ytQ�rC곰#8M�G�(Fi(�Y�+|;` 2fVȭ6Θ6iY~��E�50�>OD?i`�#1�s*?�=xփ�u8X[NAaNɧzT±B�p��a�NpgD瑩| ۶A�9Xhb9D�J9��ޥ�P͜ �R7@yz � ��Ge�,�v 5�ə^i 9zvj�qn/�U@Z �i2Ɂ㚺/kSO�~<�^֦�%ߧ�jyH2m�r�HU�u{\ e4�w�=��]b>�?/$Rd#�@q%ƀ4OxR,W"m-M�\X��U\ӃP~��)yrC5�Y�;4chE�iܨhmb{ȕO�?"FT6�
J Co���Tr�hOk�̣���ش�/<|�7Wi ޔ-�c�r�;
i||T-,sKiʌg�_|�p]f)ty�z�Ć5B/4]s䖴Fy�q0�)�Sk�KQ�m�+KZƱ�j�Ԕ5��4CdE�)�ujUR�ՂT'a�u؞y(zߍ]��eړO\tut�o0|7=nkF��=S$N�RE*mT)gj'D.MÀ>Z�b�Q"Y�@r�r�j�*WԒ�e��\|{W
!i*6ǷWX��sdM!M�$DDK!rM+5�2L�lBe\�&�м`?{y>{V?|��" }M�Xޟ�Uv٩�|5}>μY�̶\~�W
}{wL
*>\e1��2`^=G}#םn\�abww(L@?zǽ?�*�І_YcR�XLj_6߶pC-Y2}�a'A*$�`pP#.m�̾l{ymS�ͳ[醗a
]{�孀��
tzΥsټy۾�/vv.:7^\ZR1^Zy0#FpBj^^��(d�
szjބ� 6b�W�`[&I9D=S5CuWΰ3vH]!�Rb_:7g�N,W=ZXMR!�m&۪2�>Cɢ뵕h�٦{K
�O-|em�`!�oH}(WI�1�|M��H\�T
�dY{}�N�α�fO��B@fp�KZ!N3BGy,$��e5ғ2�M|;kvn(�6�F_�gE'k+\-[N7S+dI�D{_q+�s��z4~&\2Z9nt@:�Q?xX�ؾhwNj��L�t4-Ӌo+���"]UC�(MàvD)nũp-ޱekOY(^H�Cy8�[�6 jN1{�GߺCK�̫],-�'̐S)ŔL iuxH#%dBE],d��AX9� �V�9$8>l�Pf�pvn
֘I��"i#ĠQIݛC3٢p��_5d��Z;3L+|Z"�Zyb�a���|6�ߊ:"YcCƓdǟ۲&ZP|9�ߎ92i��sM_?�ne�b�֒K0KLBH
8=Sq� B�y=d\
�,ZQı�o�| M�t�k4ٮ�GTgL(|G��h2�xױU�kV,0RC̑ KTk�ՑM�ukV<ʎ�h��m��0wTQޘ�<} H�ϊM�Y4�J<,DL~pL��E
؞�(�z|�ЎǮ�im�?�{a/��A��xƦ�Lmo�+�نr&"
d5[KB�4!3gG�Ui�/=eFw:��[PYf_ː��n2oK�lLO)�J�T1~34�! �1�apHX�]Y�Eq�40�R95Īź*
U\bL]�*RAgqsÃc�&b�ZP�jP:NJاז�HCuW&dAAG~�9hb�w&e�^�K98$!��T-(8E8Ɛܽ܄]^:&� ���z�\x���3
Gp3ۜAj"~&$]Z�,t�{�!$6%��~��z�jdRMbK'E
d_�?fbPP1T9&Lz�vĞiGCZɚ�j:r5��[
_ht �@j=T�h�R�A=�[m^��1a�'N�:�$υeD#i�Sk9S' {k�}dWIQ$|<�էaؑ�+���ʑ0.�"JdQ�?i�@��8x)Ql�X1�I73�ֳ{�m?oYw5�^Z`%��)`@:(Ŗڠ�ap͏߰RlYC>M�XppDz`��+Z}]��y���O)�U|Aʗ%�uj�Ƌήҭi����owͤ._3��áfz��aK�C�I�� ��:aй���+#+K�@v�@ju[j-8v�|�f*}`7H�ȗ.OeiP��ƙPtHȓ�I8H@���2&�a�u1�-ZƓ(+qr.nK}�t:XLEv�_!ܴtf|{
�U
i0[;33S� �2�>�$I��H''r;�\M[gX;0r&(�[Lܠ\�N mICwURb��+ee&�&Xq#t��~~~~yklU-[ccy�F�":}N5y�N5ϛIi&�é%o;Lh��lan{DE0x���aH��VOw0�5FT2s�('b[R)Q]qc^��_=Pd�t1s(9=kx�),ED)6�Z=0/laع
}jOҶEM\�hm�z2Чz�0suρŕʮdg%��9z@z�Xt���e��Y!Ƴi[X/'�(r�h{o㍐XgMPSX@Y�If]ݢyɉ,�zǢ+/J�t�TkΚChq�% DnX+��{�nacS/m�W]b���Ml7�zT�^@�Bt8ǂ�j�>�QkcۜڵP�C�mե-fcpP�v/Oְ;c��7$�0Ƃ�#��O6"<�#'�\i.�ug�v��gimA1�$
�En6.oErFNRzTKxOIܳKPT�]Nn
7i븚e)7=}M�\@W{�ŗqґyڿM��W�:�4wPgU;AS+ .ͤd��Aݶ9a-m*@�X�U̎5>,�ēU.� ˢ./=ytӅa�RY�-C][^]_X$3g%�J��b'�~O�@84+QY#VD
kIHc�cY1",N�kf�(2EaDD��%z�!b|py+Ǡ9:�f�;aH�s~����,oH^l"Rj�Z>O<-o[��4%_Y@%lZ|2$oUMw�ۤzˋFP��,ÑBtz�r�Ec�!d1@1P&k}s�M��^=hT1<�8�7�~��GCz�ln!g�x\sz�;d�F��� ZSXF!i3Ooq'Z飩/bas�@�a]I�jD)Pߡ�^�Y?̠�䷿PmfɷwQhC^`2V��B�R
QE͉x�,�k7¤�t'O, v2.E��!y8�j
͘s-�T�Vp9n�� d/�|]RݞpЋG�6ךR|?�G}�;�:\�o�ø�DŢW\k�=$.X4ѱ�
ۣ'*�~d7 �;�P^ޣ��ˢw{DD�Nt�Q*�Q�PôL5&Ʈ$�|j�!-DnPn�aIzŕF*r$v9��auINu>'^`� 0BLJ߁��Z&G�B�8�AXd1��C�q�y%ǸXFPx!Ҽ�&0�aX|S�Y�h�U!hcb9ׅs\�:'�{ ]J1xy��[=̀+5&L�7P:qV6'��3H�uP�d�SUP*$Ai)5(*t.fbjƊXU�0X�fz^5XzXU.T�fڹr+ ~K-yΔPe�+e6%7�E]T�zXj 0�K5;�W�'�X@���o�@�&TRӰ0-|2i;�NRe��@I�f[wjRZȗrZsC;��}7=yJUWjQ�ܣz �i�e7�Uܨ��.��رwz҇9Ekɽn=/=7TRj9Y3~��:�K�G9�(/aG�N((�b�X�Qz/;O>�ߒ�ļ}��.[�}1߽j |;À\C+Y,��⸇A�+8��3^Rb$�WV m�M�Zz2ڑ?�8ac�itTJuf�ϋ�W ByF}oz0OyX~):�ʒ�q��iq(�ok[s>۹caiL"&hEgxTM�@ئO�t]�N>#�i+WWaA�>➍XC�%On3jwAu1P]1�#ZNpp��B3�:�B<�zDG�>F�g' �#n%�4�7�L��P�_C�_�tghq֢xt��7EڤKB`(x��`?,W��t@";{|�Q����F̊X@�t8,$�l�6Ƚ�N=B&3'
ُ0�S�;BNyq9nX��[+$̼O��o-�v`1pv/
~N1QǷ��t$rI!�i+oz盫n(_@7FDuj
>�h0�*ejхUtKDJL
2�@�s�8%���{ߟo]:K0%��
�5"߰�g�
=gBp��0C>C�Ox�֭)��Ӧ%cnA{)|贯��#?G��
�l!�1�g昡Gi.#_�ORI節��D��htM\���"@J��>S�|Ӡ6hP؞��?pm2�&\I0Z�^6�XLh0v@�s���Xc�-�.E.Ӈ;q[��cܕѭɀ�xB��db���,9ǥ~�td͡Q�,#ߛ�h�Sg0�z/غ9�Pq.5$Lj+1I�t!C�K/H�FzNs£(�I�wǦˈ�_`�>$�Bc�|EW|UKPk?_s]��+J)qR?<>ūA~kfY3[�8~\K�r%-2�eVнA=#�2dg44\�B!���_�Ч�V#&X3�ѼH;7IoZ-}=i_ڝ+rҺ*kI/WQvjIiyu}Ӿe��31z;�*u^hKL�iӤe(Aί-L)�D{=\H�E��xU�"
/�EL�qx*0ʧfϞ^w�S"v�mY�Q��L�MÀ(POA~�r�ڽ�r|v3��.ui5_Ԣz p5{@Q2D�
GM*��^L8���)nu:U+�Uj^*Q^m^�9^I�^+&�oV6Rk;Y[~�88kI?瀟5y�oCڙƻY>[�ki�gWkҡ5i]�?N��kl\3>5��~/�s�?5�\C@k�yjM>@5 ݚ@?֤_Bt�߫5{�s`_�Y�ȟ��Y#_>5^S�f
t5Bk�뭡/@_�H.�aM>�>-߮K�]CPon_r5�7Y��NϯT�8'kK�z)A^+_�~Z�K5GF^`謡2,c\4e_w
��
ks\W�KI0�tE-U兗fZ+�ǸJt-��}}}/Q
-CyikR< �AɻA-gE6a�+F&Ь-'hވu]f=�g|ܓs+Z`O逷\Y9d}+er6VD-VcbM�x{ylǾJ92�b�a_d_BЫʛ�ǒ{Ь`�n�Czn}(�s�җjZҧ~�4Ċ�lOAptr�m>ov#yk_�Bx�&`5io[~|^YiQ�s>@e^q+z:`)?װ8So�#զuF�?6.eP!AX9MlA]'�LC딿.Ncw�{� �w�Y@DӸP>�hգ{9đɴ)93�l1@�Љ
|u\jn2�&�3!U{�Txx e*sEDQ�j�Nؒ1"�QUR"
e2$G|1I5�{w{�Y�=�KFe�8xp/�#C0t'ᕗF±0.�@�HG�b0x`ԇ`wƨ&F\��i1`I�vM[~:�0p)u&�Ĥ��O[E�-ljJôFo1#95�Ge�j}�09]q6�3fnwZN]Rikx.$7+�䅬Jq}RtzY8=ۚ9d؆,d
/mnԙ%FO_|y
��$Gl7�~3ǚ1;v
tI5<`/Fx�h�N"L�/GOqtg~ 0MDKfAl!�|aGveG��wyC;�59D$�&��~0gIk-}�x�E�)Tv$ї]Q��~���q��cOaI�l@��� X1W�;O���>OĞP�_ m\oTùLHd z"kщsl�FK}��"sB
s#b;MA5#�;vl>8ku�o�2&��6#����j#���F\�gHa*x��� .7#Tt�<��` GY�e`kr��-E6v,Sq�ߢq9u�3E~ᱦ��#eUcSҼE1�ylT$|�C]�Ay�Y$p �e,5���5]}deu�b@�4;U*P�� h�@j~Ş�cN5r5�/��cqq5A%�+�8jC]@csXg[}@u?�SN���$�.ߞZ�CR2@aRӾaj�x @
�R@G40mY7�@̹�v}�c�aIW?*�t=N3B�4.r��KlPK��
KK4τ6=G��34�Qcq�ЇV_�E�'ܱ+=i|�
�|>Woj74fcP�ܱ/U��֠;sNLכo0�/RW�Ϡ�ط�c�3Y|bZj~�peh8*�Ƹ�zXJ0���Jw�p,�fKEdLu/
&�&^unZ{zӹ W
$R$>E��V2�%S%.㕦�C{nPKS�DŽO&W{D����ԳP��֭�EŠ؍cj�,n�mp�ݚ+�T���L5�7�ͅ�&��H�T�d�X`-"�}z�γ 5:cPb�>J|.Z#fv�=ߓ-�HMcx_/�kH`҅�AC0rPgLPU@ɀzYK�"W-[y[�����M�ؒh����?�)hA?�)*l�64AYt�NД6mYV
[�&xO+;H\""P3װK�ձ~ `Wg0���+Y�@��F� ^ΞP�du,ʸPdUɬ0~�<%,�n&�ԢLu(f�1Iǖ�:�vȠƳm9,�y@&<&X��y
�6GX΄��J9�
f+CBa7bA"-mv��$�R���Kz��TG�7 ߘ%�2H w.�d�{ qu~"Y�Q�gNE\�f"s?smُ
H�&�Y\R4v?lDʕTIh^ܶ4iGP_�?@Bn���Mͭs\ `�4zj^v]
I�Pc�>@5upj}�n4.67�Rv;sqL@R�
1S1K\e"�F| Y�x57 "5m/\vE諤HEIz
��8L�s(?'ĭ!ٿZh9��QsMBm1>�plv_�/>r}�]�q�J*l�Db=kllD%6Б�4+y_�HFQIθQ#0Qτ#4n�F@s�ٰd'�"hc)IаΞk��lx|�9;A���DiZ}HE<�0N28AJ�ءJ �G��a~\&��dp�Y�GT/�Д��BE-�)opKw%��qQxp�^��}s�%І=F�~%H�r|YBVa6;6.�iNGax;2Cu$b���K<��^�{�-��Nj���sՓΛ틏�W�B;BG�{�F�%_[ǑFO$bQK=Nm߾�/I>\tnSʎSI7WgRB"Q��y:7g4��!q
w<;k_MfĻAƼY�(>WSxF#x��<�oL�PQj%�&7hE1��n�:)��FGX�S""�FOpőp31{ٲN�(
ߒ&�jvw�b�yeh346�qcfi߄re-6-�˫Lˢ$_J6?�}v[?��
|
Network Security & Hardware 
