Keyboard Cowboy More and-or less confused after tomorrow

Who’s letting me become ssladmin?

Slashdotters! - Hi there! Apparently I am a "security expert". Way too much credit to me! I am just an enthusiast more than anything else. Anyway, thanks for coming!

With news that it is rather ridiculously simple to mimic authority with many webmail providers in order to coax an SSL certificate authority (CA) into creating one for the domain, I decided to take it upon myself to see who out there is actually vulnerable and provide information to the public on how prevalent this issue is as we speak.

Out of eleven webmail services chosen at random and without prejudice, just under half of them permitted me to register with credentials (ssladmin) that allowed me to create an SSL certificate in their name. In most of these cases, there was a pre-existing, legitimately-acquired certificate.

All of them were contacted prior to this blog entry being posted. Out of the five that I contacted, one responded to me directly and informed me that the issue was being addressed, another one had a ticket filed but has no followed up nor closed the account, one had my account banned outright, and the rest did not comment. I was successful in registering a new account for a CA service for one of the providers, but did not complete the request and didn't bother for the rest of them.