Tuesday, June 12, 2007

What happened to the networksolutions.com root cert?

Has anyone seen the Root cert called "UTN-USERFirst-Hardware"? Or for that matter an EV (Extended Validation) certificate?

This comes from a website called http://www.usertrust.com/ which then resolved to beleaguered ISP aros.net. They have since changed ISP's to sisna.com.

I will list here the openssl output for https://www.networksolutions.com/

Certificate chain

0 Delaware/C=US/ST=Virginia/L=Herndon/O=Network Solutions, LLC/OU=Registrar/OU=Secure Link EV SSL/CN=www.networksolutions.com
i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV SSL CA

1 s:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV SSL CA

i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority

2 s:/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority

i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware

3 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware

i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

It seems that Network Solutions has somehow changed their certificate model to using this UTN usertrust.com cert Root certificate path.

We have noticed that updated versions of Firefox, and IE 7 do in fact trust this root certificate, but older IE 6 does not for some reason.

I have also noticed strange things about how www.networksolutions.com now shows up on different versions of browsers. Some browsers will show a certificate path which has 3 Verisign chains, and other browsers will have 5 chains which includes the "Addtrust External CA Root".

This seems really odd to me. In doing more research, we came across a whole slew of crazy information about the owner or aros.net going to jail and freessl.com having a security flaw from 2002 on securityfocus.com

http://www.securityfocus.com/archive/1/304480

Follow
http://www.usertrust.com/ and take a look at the site.

Do a Google Search on UserTrust
http://www.aboutus.org/UserTrust.com

UserTrust used to use a hosting provider called Aros
http://www.aboutus.org/Aros.net

Do a Google search on "Michael Winsett+Aros" and it pulls back interesting information. The whole situation feels strange to me because of the nature of the companies and people involved. When I start looking into an SSL cert, which is a root cert for Network Solutions (a very large trust organization) and I start finding information out about people going to jail and companies going out of business, I get nervous.

Doing a little more research a colleague of mine found that Network Solutions, Microsoft, Comodo and others got together to create an Extended Verification SSL certificate path.

http://www.instantssl.com/ssl-certificate-products/ssl/ssl-ev-validation.html

The only problem that I see here, is that IE6 (at least SP1) doesn't seem to be compatible with this new certificate chain and complains, even going to the www.networksolutions.com homepage under SSL. This seems to suggest that the EV cert is not backwards compatible with older browsers which does not seem like a good thing.

Network Solutions tells us that an EV cert must be installed properly in order for it to work. No Kidding! There are several things to keep in mind when updating a certificate store, including updating the proper intermediate chain, and if a Windows box reboot it.

So the bottom line, is Network Solutions changed their certificate model, and it is now causing problems. Several things have to fall in line perfectly for nothing to go wrong. You must update your intermediate chain, reboot your box, if windows, and hope to God your customers are not using IE 6. Granted this hopefully will only apply to an EV cert, but I am still doing research. Are they forcing us to move into IE7, update Firefox, and replace our very browsers with something compliant with this new model? Has any peer review been done yet on the new EV certs, and what security organizations are covering this?

I could just be paranoid, but does this look like a scam to get users to upgrade to IE7 and then demand that ALL website owners upgrade their certs to EV so the user can get that nice little green button on their browser? Typical phone call "Hello, I am a customer and I noticed that your website does not have that green light for your shopping cart". If that is the case, boo to the powers that be.

Follow this link for a great commentary on this situation.

When companies who are supposed to gain our undying trust start mucking about with grand ideas which may or may not work for everyone, people should sit up and notice. Heh Network Solutions, we noticed!

Please comment either here, or on the digg.com article because I would like to hear other reactions to this situation.

digg story