Friday, March 11, 2016

SSL certificate acquisition security and Outlook Online groups

Many organizations that issue basic SSL certificates use e-mail to verify ownership of the domain. Such processes involve sending a verification code to hostmaster or postmaster or webmaster at the domain in question (or its parent, in the case of subdomains).

I know of some enterprise and academic organizations that use Office 365 and Outlook Online for their e-mail. One feature of Office 365 is groups, which can function as faux-addresses that forward all e-mails to the group members. Depending on the settings, users can form and disband groups as they please without administrative approval.

What do those two facts have to do with each other? Well, imagine what would happen if somebody could create a group called hostmaster. Sure enough, that's possible, and it will indeed produce the group address of hostmaster@domain.tld. If the Outlook addresses are at the root domain, anybody who can form groups can effectively pretend to be the hostmaster and create SSL certificates for the domain. A free issuing entity that uses e-mail verification is StartSSL.

What can be done about that? Some things:

  • Reserve sensitive group names by creating private groups (so users can't join)
  • Don't give normal users addresses at your root domain (do something like ourmail.example.com)
  • Disable the group features if you don't need them
Microsoft might want to consider making sensitive names not allowable as group IDs.

No comments:

Post a Comment