Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Hanz Ostmaster’s revenge: An SSL Validation issue

Why would I title a blog post with the name 'Hanz Ostmaster'? Don't worry, it's not some new named vulnerability, but it turns out this name has some significance. Do you see it? It requires a bit of imagination - consider a typical email policy: first letter of your first name, last name @ With our friend Mr. Ostmaster this will result in Does that seem like a problem to you? Turns out this email address can be a massive issue. To find out why, we need a bit of background.

Many of us are familiar with the concept of Secure Socket Layer (SSL). It is the technology that allows servers to exchange sensitive information such as credit card numbers, social security numbers, and more in a secure manner. It functions by establishing an encrypted link between a server and a client and was first developed in 1994. Currently it is required by PCI and Trustwave is key in its deployment worldwide.

SSL offers a great advantage over a strictly symmetric key system in that its central certificate authority (CA) removes the need of the client to know all the cryptographic keys of every other server it will communicate with. The client simply needs to verify the keys of the CA.. These CA's have their certificates shipped with operating systems and browsers and will vouch for the trustworthiness of sites by 'signing' their site's certificates.


figure 1: Symmetric vs Asymmetric encryption

This, of course, puts an unusually high level of security trust in the CA. A natural follow-up question is: How does one become a trusted CA? At this point the most common answer is that you're a large company (Symantec, Trustwave, etc) for whom there is already a perceived trust.

So if CAs are trusted because their certificates are shipped with browsers and OSs, how do these CAs know if they can vouch for the sites who will ask them to do so. Well, the common sequence of events is as follows:

  • Site: Hello I represent and I'd like to get a certificate for my site.
  • CA: Howdy, that's all great, but I need proof you're the owner of
  • Site: Here is my proof. (we are leaving this intentionally vague)
  • CA: Wonderful, I will sign your certificate and you can present that as proof that you are actually
  • Site: Thanks CA, have a great day.

Verifying the legitimacy of the client is the topic of today's post. There are a number of different methods that ICANN has specified for allowing CA's to verify sites/users:

  • HTTP Validation – Can be performed by uploading a special text/html file into the root directory of the domain name.
  • DNS-based validation - For this validation method you need to create a certain CNAME record in the DNS settings of your domain.
  • Email Validation – Users will be validated by an email that belongs to the domain

Of those you may be most surprised by the email validation option, as sites often give out email addresses belonging to their domain (anyone have a Gmail account for instance?). It's important to know that until late 2015 there was no strict specification on which email addresses could be used for verification by the CA. This ambiguity ended up manifesting itself as CERT Vulnerability note 591120 ( The notice specified 16 certificate authorities as affected (the status of many others was unknown) and noted that it was not possible for site administrators to know which email addresses should be reserved for SSL use. If an admin is not aware of all the sensitive email addresses and allows users to be assigned one, this can lead to a duplicate certificate being issued for their domain. In a short survey the following addresses were allowed by various CAs to register certificates, but strictly speaking it was up to each CA to determine which email addresses were acceptable:


This is coupled with another issue, CAs don't communicate amongst themselves, so if a CA was asked to signed a certificate for, it wouldn't check if any other CA had already signed a valid certificate for that domain. In fact, many organizations have taken to doing this on their own as part of their Incident Repsonse practices.

The fix was rather straightforward. CAs were instructed to only use the email addresses specified in RFC2142 - MAILBOX NAMES FOR COMMON SERVICES, ROLES AND FUNCTIONS. The only exception is that CAs were also allowed to use the email listed in the WHOIS contact for the domain being registered. Beyond the whois email, the only allowed email addresses after the fix should be:

This largely solved the underlying problem but every CA in existence needs to update their policies accordingly, otherwise the issue isn't fixed. At the time of writing it was still possible to find some CAs whose policies did not conform to this guidance. This means that given a situation such as that in the image below, all one would have to do is find a CA that still allows registering that email address (ssladmin@...) and, just like that, a valid certificate for the domain would be given to a potentially malicious actor.


figure 2: setting up an email to register a certificate

So everything's good once the fix is in place, right? Well, no. It turns out that the vast majority of technical folks don't know that the three email addresses listed should be reserved in order to safeguard their SSL security. Sure most people know about postmaster - but when surveying a room of security professional at BSides-Rochester 2016, only two raised their hand in recognition that hostmaster should be a sensitive (and therefore reserved) email address.

There is also a little issue here about trust. One of the popular services that domain registrars will push when you sign up, is free, or low cost, whois protection (like whoisgaurd). The problem here, is that if you sign up for that service it is effectively possible for anyone who can generate whoisgaurd email addresses to register an SSL cert on behalf of your site. This is demonstrated below:


figure 3: using a whoisguard email address

Ok, there are some problems here, but how often can you really register these email addresses. Certainly is already taken (it is) and there aren't often situations where you can access someone else's email account. It turns out there is one big location where this rule relaxes. There are a number of services that offer anonymized email access.

What makes these targets so great is they often let you not only have email accounts on their domain, but they will allow others to point their MX record to their SMTP server. This trick makes getting around domain blocking simple. However it also potentially makes all the domains that have their MX record pointing to a given SMTP server vulnerable to having their SSL certificates registered by a malicious entity.

So how common is this issue? Well, it turned out that every service I tested was vulnerable with the exception of


figure 4: using a hostmaster account to provide CA verification

While some were very easy, to access such as, others often tried to be more intelligent about security. Most would not directly allow me to check '' but given spaces, case, dots, null characters, etc. almost all services tested were vulnerable. In the end I ended up with temporary certificates for quite a few of these domains some of which are shown below.


figure 5: domains validated for certificate signing using this technique

Generally there are some easy steps to fixing mitigating these issues. From the consumer side if possible you should pin your certificates and use the HPKP header if supported. Also, if it is financially feasible, you should consider an extended validation (EV) certificate. These EV certificates require additional scrutiny to get and are presented in a different manner than conventional certificates.

CAs can also improve this process and many CA's are moving away from email based authentication for the very reason we described. Hopefully in the future we will also see some better communication between CAs to prevent the types of issues described.

Latest SpiderLabs Blogs

2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies

Trustwave SpiderLabs’ 2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies report details the security issues facing public sector security teams as...

Read More

How to Create the Asset Inventory You Probably Don't Have

This is Part 12 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More

Guardians of the Gateway: Identity and Access Management Best Practices

This is Part 10 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More