Netcraft Certificate Issuance Security Testing

netcraft-ca2

Netcraft’s Web Application Tests thoroughly audit both the certificate issuance process and any related web applications used to manage certificates, including those dedicated to user control panels, re-issuance, re-keying, and revocation interfaces. A key feature of this service is Netcraft’s extensive experience with the SSL industry.

Netcraft has been tracking the SSL industry almost since its inception, having surveyed the internet for SSL certificates since 1996. Netcraft is a PCI Approved Scanning Vendor and an established web application security auditor, providing security services for two of the world’s top ten banks, a worldwide credit card network, leading e-commerce companies and all major web browsers.

The CA/B Forum’s Network Security Requirements prescribes both penetration testing and regular vulnerability scanning. Netcraft’s Audited by Netcraft service provides for regular scans of your internet-facing infrastructure for security vulnerabilities. A Netcraft seal can demonstrate the results of the scan to your customers.

Certificate Issuance Process

Our tests are designed to rigorously push the defences of your certificate issuance process. While including web-application-specific vulnerabilities, such as SQL injection, our tests also consider the aims of an attacker aiming to obtain a certificate by deception.

Our report provides a detailed analysis of any security or service problems discovered together with proposed solutions, links to detailed advisories and recommendations for improving the security of the service under test.

Netcraft’s test will include the following:

  • An automated scan of the infrastructure supporting your certificate issuance process
  • Testing the security and fraud resistance of the purchase process
  • Examining whether the domain validation mechanism can be bypassed including the ability to obtain certificates for unauthorised and high-risk domains
  • Assessing the ability to obtain certificate types prohibited by the Baseline Requirements (for example: weak public keys or signature algorithms)
  • Testing the security of the web application powering the user interface, subjecting it to the tests carried out in a Web Application Test.

Web Applications

The certificate issuance process does not stand alone; it is surround by additional supporting services such as user control panels and administrative access options. These additional applications are subjected to a rigorous Web Application Test, pushing the application to its limits in search of vulnerabilities that could be exploited by an outside attacker or another user.

Typical vulnerabilities found in Web Application Tests include cross-site scripting, SQL injection, cross-account access & lack of authorisation checking, cross-site request forgery, and remote command injection.

The duration of a test depends on the size and complexity of a site.

Further Services

Netcraft also offers several other services that may be of interest to certificate authorities, including:

More information

To discuss your particular requirements, please contact us by email at sales@netcraft.com or phone +44 (0) 1225 447500.