Pre-Issuance Certificate Checking

Netcraft’s Pre-Issuance Certificate Checking service can be used by certificate authorities to check that certificates they issue are compliant with the CA/Browser Forum’s Baseline Requirements and EV Guidelines in real-time. It also identifies domain names in certificates that are likely to be used for phishing or fraud, and should therefore be subject to additional verification.

The service is provided as an API that mimics the /ct/v1/add-pre-chain and /ct/v1/add-chain endpoints of a Certificate Transparency log server. This allows for easy integration with a CA’s existing certificate issuance process, as many CAs already submit EV certificates to log servers.

When a certificate or precertificate is submitted to the API, Netcraft runs its automated suite of Baseline Requirements and EV Guidelines tests against the certificate. The domain names in the certificate are also analysed to check if they are deceptively similar to the legitimate domain name of an organisation targeted by phishing. If there are no violations and no suspicious domain names, the API can be configured to either:

  • Forward the request to a real Certificate Transparency log server and return the log’s Signed Certificate Timestamp; or
  • Return a Netcraft-signed SCT.

In addition to an SCT, the response also includes a list of broken recommendations from the Baseline Requirements and EV Guidelines, and the underlying Deceptive Domain Scores.

If a certificate is non-compliant or contains a suspicious domain name, the API returns an error response instead. Error responses include a list of broken requirements, in addition to the list of broken recommendations and the underlying Deceptive Domain Scores.

BR, EV and CT Compliance Checking

Chrome presents a certificate warning

A certificate issued by GoDaddy that violates the Baseline Requirements and produces a warning in Chrome. It was issued after July 2012 and has a validity period of more than 60 months.

In order for a certificate authority to remain trusted, all major web browsers require certificate authorities to comply with the CA/Browser Forum’s Baseline Requirements when issuing certificates. The CA/Browser Forum also maintains a separate set of requirements specific to Extended Validation (EV) certificates.

In March 2015, Google pushed an update to its Chrome browser to require Certificate Transparency for EV certificates. EV certificates that do not meet Google’s Certificate Transparency requirements no longer receive EV treatment in Chrome. Chrome also displays warnings for certificates containing certain violations of the Baseline Requirements, such as certificates with too long a validity period.

Whilst publicly-trusted certificate authorities undergo annual audits, a significant number of certificates do not comply with the Baseline Requirements and EV Guidelines. Netcraft’s pre-issuance certificate checking API can be used to bring any non-conformant certificates to your attention, before they are delivered to your customers and publicly deployed. It can also be used to identify EV certificates that do not meet Google’s Certificate Transparency requirements, and would therefore not receive EV treatment in Chrome if deployed.

Some of the most commonly violated baseline requirements include:

  • The Issuer Country Name field is required.
  • The Subject Alternative Name extension is required.
  • Any entry in the Subject Common Name field must also appear in the Subject Alternative Name extension.
  • Internal hostnames and IP addresses are prohibited in the Subject Common Name and Subject Alternative Name fields.
  • The period between the Not Before and Not After dates must not exceed 39 months.
  • At least one OCSP responder is required unless the site is both highly trafficked and uses OCSP stapling.

Netcraft’s BR, EV and CT Compliance Checking service is also available as a monthly report delivered as a spreadsheet.

Deceptive Domain Score

A phishing site targeting Commerzbank using an SSL certificate for commerzbank.link.

The CA/Browser Forum’s Baseline Requirements require that certificate authorities perform additional verification for "High Risk Certificate Requests", which include requests for domain names that are likely to be used for phishing or fraud:

The CA SHALL develop, maintain, and implement documented procedures that identify and require additional
verification activity for High Risk Certificate Requests prior to the Certificate’s approval

High Risk Certificate Request: A Request that the CA flags for additional scrutiny by reference to internal
criteria and databases maintained by the CA, which may include names at higher risk for phishing or other
fraudulent usage

Netcraft’s Deceptive Domain Score service pre-emptively identifies domain names that are likely to be used for fraudulent purposes. The service computes a risk score for each domain name in the certificate, representing how likely it is that the domain name will be used to host a phishing attack.

Netcraft’s Deceptive Domain Score for commerzbank.link.

Netcraft has blocked over 38.4 million unique phishing sites to date [November 2017], and our phishing feed is used by all major web browsers, as well as leading anti-virus companies, domain registrars, registries, certificate authorities and hosting companies. Netcraft’s database of over 7,800 organisations targeted by phishing is used to identify domain names that are deceptively similar to an organisation’s legitimate domain name. Our extensive experience in blocking phishing sites has provided us with a wealth of knowledge of tricks commonly used by fraudsters to create deceptive domain names, such as:

An SSL phishing site using an Internationalized Domain Name to impersonate Blockchain.

  • Using Internationalized Domain Names to use lookalike characters from different alphabets.
  • Substituting lookalike characters, such as “o” (letter O) and “0″ (zero).
  • Inserting, deleting or re-ordering characters.
  • Adding prefixes and suffixes, such as “update”, “login” and “secure”.

Examples

The following table lists a sample of deceptive domain names used in SSL phishing attacks together with their target and risk score:

Domain name Target Risk
commerzbank.link commerzbank.de 10.0
www-labanquepostale.fr labanquepostale.fr 10.0
blockchaín.info (xn--blockchan-n5a.info) blockchain.info 8.51
mercadoslivre.com mercadolivre.com 8.25
itunes-security.net itunes.com 8.09
loposte.fr laposte.fr 7.28
online23bofa.com bofa.com 6.95
paypaisecure.com paypal.com 5.85
btintranert.com btinternet.com 5.57
barclaymessage.co.uk barclays.co.uk 5.31

Further Services

Netcraft offers several other services that may be of interest to certificate authorities, including:

More Information

Please contact us by email at sales@netcraft.com or phone +44 (0) 1225 447500 for more information.