Netcraft’s Pre-Issuance Certificate Checking service can be used by certificate authorities to check that certificates they issue are compliant with the CA/Browser Forum’s Baseline Requirements and EV Guidelines in real-time. It also identifies domain names in certificates that are likely to be used for phishing or fraud, and should therefore be subject to additional verification.
The service is provided as an API that mimics the
/ct/v1/add-chain endpoints of a Certificate Transparency log server. This allows for easy integration with a CA’s existing certificate issuance process, as many CAs already submit EV certificates to log servers.
When a certificate or precertificate is submitted to the API, Netcraft runs its automated suite of Baseline Requirements and EV Guidelines tests against the certificate. The domain names in the certificate are also analysed to check if they are deceptively similar to the legitimate domain name of an organisation targeted by phishing. If there are no violations and no suspicious domain names, the API can be configured to either:
- Forward the request to a real Certificate Transparency log server and return the log’s Signed Certificate Timestamp; or
- Return a Netcraft-signed SCT.
In addition to an SCT, the response also includes a list of broken recommendations from the Baseline Requirements and EV Guidelines, and the underlying Deceptive Domain Scores.
If a certificate is non-compliant or contains a suspicious domain name, the API returns an error response instead. Error responses include a list of broken requirements, in addition to the list of broken recommendations and the underlying Deceptive Domain Scores.
BR, EV and CT Compliance Checking
In order for a certificate authority to remain trusted, all major web browsers require certificate authorities to comply with the CA/Browser Forum’s Baseline Requirements when issuing certificates. The CA/Browser Forum also maintains a separate set of requirements specific to Extended Validation (EV) certificates.
In March 2015, Google pushed an update to its Chrome browser to require Certificate Transparency for EV certificates. EV certificates that do not meet Google’s Certificate Transparency requirements no longer receive EV treatment in Chrome. Chrome also displays warnings for certificates containing certain violations of the Baseline Requirements, such as certificates with too long a validity period.
Whilst publicly-trusted certificate authorities undergo annual audits, a significant number of certificates do not comply with the Baseline Requirements and EV Guidelines. Netcraft’s pre-issuance certificate checking API can be used to bring any non-conformant certificates to your attention, before they are delivered to your customers and publicly deployed. It can also be used to identify EV certificates that do not meet Google’s Certificate Transparency requirements, and would therefore not receive EV treatment in Chrome if deployed.
Some of the most commonly violated baseline requirements include:
- The Issuer Country Name field is required.
- The Subject Alternative Name extension is required.
- Any entry in the Subject Common Name field must also appear in the Subject Alternative Name extension.
- Internal hostnames and IP addresses are prohibited in the Subject Common Name and Subject Alternative Name fields.
- The period between the Not Before and Not After dates must not exceed 39 months.
- At least one OCSP responder is required unless the site is both highly trafficked and uses OCSP stapling.
Deceptive Domain Score
The CA/Browser Forum’s Baseline Requirements require that certificate authorities perform additional verification for "High Risk Certificate Requests", which include requests for domain names that are likely to be used for phishing or fraud:
The CA SHALL develop, maintain, and implement documented procedures that identify and require additional
verification activity for High Risk Certificate Requests prior to the Certificate’s approval
High Risk Certificate Request: A Request that the CA flags for additional scrutiny by reference to internal
criteria and databases maintained by the CA, which may include names at higher risk for phishing or other
Netcraft’s Deceptive Domain Score service pre-emptively identifies domain names that are likely to be used for fraudulent purposes. The service computes a risk score for each domain name in the certificate, representing how likely it is that the domain name will be used to host a phishing attack.
Netcraft has blocked over 30.6 million unique phishing sites to date [March 2017], and our phishing feed is used by all major web browsers, as well as leading anti-virus companies, domain registrars, registries, certificate authorities and hosting companies. Netcraft’s database of over 7,800 organisations targeted by phishing is used to identify domain names that are deceptively similar to an organisation’s legitimate domain name. Our extensive experience in blocking phishing sites has provided us with a wealth of knowledge of tricks commonly used by fraudsters to create deceptive domain names, such as:
- Using Internationalized Domain Names to use lookalike characters from different alphabets.
- Substituting lookalike characters, such as “o” (letter O) and “0″ (zero).
- Inserting, deleting or re-ordering characters.
- Adding prefixes and suffixes, such as “update”, “login” and “secure”.
The following table lists a sample of deceptive domain names used in SSL phishing attacks together with their target and risk score:
Netcraft offers several other services that may be of interest to certificate authorities, including:
- Netcraft Phishing Alerts for CAs
- Netcraft Certificate Issuance Security Testing for CAs
- Netcraft SSL Server Survey
Please contact us by email at firstname.lastname@example.org or phone +44 (0) 1225 447500 for more information.