There are multiple design and implementation flaws in StartEncrypt, a tool created by Israeli company StartCom for issuing free SSL certificates.
StartCom, the CA (Certificate Authority) behind the StartSSL service, launched the StartEncrypt project June 4, inspired by the success of the Let’s Encrypt project.
Users who want to deploy free StartSSL certificates can take advantage of their StartEncrypt offering. They only need to download a Linux client they’re supposed to upload to their servers.
This client performs a domain validation process, informs the StartSSL service, which then issues and installs an “Extended Validation” SSL certificate for the domain it found running on the server it has just checked.
The validation process has flaws where it could allow server owners to receive SSL certificates issued for other domains, such as Facebook, Google, Dropbox, etc., which can end up sold on the black market or used in man-in-the-middle attacks, said Thijs Alkemade, a security researcher for Dutch security firm CompuTest, who discovered the vulnerabilities.
The first issue Alkemade discovered in the StartEncrypt client was a design-related problem where users could manually configure the folder from where the client would download a signature from the server.
An attacker would only have to point the tool to a folder on their server holding the signature of another domain. These domain signatures can be extracted from any sites that allow users to upload files: GitHub, Dropbox, etc.
The second issue is more serious because it enabled an attacker to obtain SSL certificates for even more domains than the ones before.
Alkemade said one of the API verification calls contains a parameter dubbed “verifyRes,” which takes a URL as input. This means the client ended up exposed to Open Redirect vulnerabilities. Along those lines, an attacker could forge this request and point the tool off-domain to a server not under their control.
But this feature is not that easily exploitable. The domain URL to which the attacker needs to point the tool must allow users to upload files and serve them back in raw format; or contain an Open Redirect issue of its own.
While the first condition was quite rare, the second was not. All websites that support OAuth 2.0, a specification that powers social login features, must allow open redirects for the protocol to function properly.
A crook leveraging this OAuth 2.0 condition and the StartEncrypt client could fool the StartSSL service into issuing a free SSL service in their name for any site that provides OAuth 2.0 support, such as Facebook, Twitter, Yahoo, Microsoft, and so on.
On top of all that, CompuTest also found StartEncrypt doesn’t check its own server’s certificate for validity when connecting to the API, meaning crooks could receive verification requests and issue false SSL certificates for users trying to use StartEncrypt.
The API also doesn’t check the content type of the file it downloads for verification, so attackers can obtain certificates in the name of third-party websites where users can upload their avatars. At the same time, the certificate private key, which must be private, is stored with 0666 permissions in a public folder, so everyone could read it.
Furthermore, StartEncrypt is vulnerable to a Duplicate-Signature Key Selection attack.