Tuesday, June 12, 2007

What happened to the networksolutions.com root cert?

Has anyone seen the Root cert called "UTN-USERFirst-Hardware"? Or for that matter an EV (Extended Validation) certificate?

This comes from a website called http://www.usertrust.com/ which then resolved to beleaguered ISP aros.net. They have since changed ISP's to sisna.com.

I will list here the openssl output for https://www.networksolutions.com/

Certificate chain

0 Delaware/C=US/ST=Virginia/L=Herndon/O=Network Solutions, LLC/OU=Registrar/OU=Secure Link EV SSL/CN=www.networksolutions.com
i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV SSL CA

1 s:/C=US/O=Network Solutions L.L.C./CN=Network Solutions EV SSL CA

i:/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority

2 s:/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority

i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware

3 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware

i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

It seems that Network Solutions has somehow changed their certificate model to using this UTN usertrust.com cert Root certificate path.

We have noticed that updated versions of Firefox, and IE 7 do in fact trust this root certificate, but older IE 6 does not for some reason.

I have also noticed strange things about how www.networksolutions.com now shows up on different versions of browsers. Some browsers will show a certificate path which has 3 Verisign chains, and other browsers will have 5 chains which includes the "Addtrust External CA Root".

This seems really odd to me. In doing more research, we came across a whole slew of crazy information about the owner or aros.net going to jail and freessl.com having a security flaw from 2002 on securityfocus.com

http://www.securityfocus.com/archive/1/304480

Follow
http://www.usertrust.com/ and take a look at the site.

Do a Google Search on UserTrust
http://www.aboutus.org/UserTrust.com

UserTrust used to use a hosting provider called Aros
http://www.aboutus.org/Aros.net

Do a Google search on "Michael Winsett+Aros" and it pulls back interesting information. The whole situation feels strange to me because of the nature of the companies and people involved. When I start looking into an SSL cert, which is a root cert for Network Solutions (a very large trust organization) and I start finding information out about people going to jail and companies going out of business, I get nervous.

Doing a little more research a colleague of mine found that Network Solutions, Microsoft, Comodo and others got together to create an Extended Verification SSL certificate path.

http://www.instantssl.com/ssl-certificate-products/ssl/ssl-ev-validation.html

The only problem that I see here, is that IE6 (at least SP1) doesn't seem to be compatible with this new certificate chain and complains, even going to the www.networksolutions.com homepage under SSL. This seems to suggest that the EV cert is not backwards compatible with older browsers which does not seem like a good thing.

Network Solutions tells us that an EV cert must be installed properly in order for it to work. No Kidding! There are several things to keep in mind when updating a certificate store, including updating the proper intermediate chain, and if a Windows box reboot it.

So the bottom line, is Network Solutions changed their certificate model, and it is now causing problems. Several things have to fall in line perfectly for nothing to go wrong. You must update your intermediate chain, reboot your box, if windows, and hope to God your customers are not using IE 6. Granted this hopefully will only apply to an EV cert, but I am still doing research. Are they forcing us to move into IE7, update Firefox, and replace our very browsers with something compliant with this new model? Has any peer review been done yet on the new EV certs, and what security organizations are covering this?

I could just be paranoid, but does this look like a scam to get users to upgrade to IE7 and then demand that ALL website owners upgrade their certs to EV so the user can get that nice little green button on their browser? Typical phone call "Hello, I am a customer and I noticed that your website does not have that green light for your shopping cart". If that is the case, boo to the powers that be.

Follow this link for a great commentary on this situation.

When companies who are supposed to gain our undying trust start mucking about with grand ideas which may or may not work for everyone, people should sit up and notice. Heh Network Solutions, we noticed!

Please comment either here, or on the digg.com article because I would like to hear other reactions to this situation.

digg story

8 comments:

Jeremy said...

After the experiences I've had in the last 24 hours, I wouldn't recommend Comodo to anyone. All the details are on my blog.

Aaron said...

That is the least of the problems. I recently ran into major problems with their new root/chain.

Priory to java 1.5.0_09 which MANY business are using will not trust that chain. Not only that, older installations of openssl will also have issues. That means many php and perl apps will break in addition to weblogic, jboss, websphere and so on. Just upgrade? Not that easy, as any development org knows.

Windows workstations using MSIE6 SP1 or older will not be able to deal with their new root as well.


This is not the only problem. Java prior to version 1.6 will not be able to deal with EV SSL certs at all.

Network Solutions is trying to force the world to upgrade all their machines. As much as I would like that to happen, we know it will not.

I believe this is just the tip of the iceberg. They really should have kept the GTE cert as long as possible. Many people are going to be forced to either go to Verisign (expensive) or GoDaddy (omg no!).

Carmina said...

I was looking for some information and photos of pelicans taken by Sildenafil Citrate the Russian bird expert and I came across your blog by mistake. I found out that this does not have anything to do with pelicans

Click SSL said...
This comment has been removed by the author.
Paul said...

i have been using extended validation ssl for a while no after i had lots of issues with comdos root certs. I have found are sales have increase and many customer feel happier entering there details after seeing the green address bars people now look for.

The SSL Store: SSL Certificates said...

Extended Validation SSL or EV SSL Certificates (eg VeriSign Secure Site with EV, GeoTrust True BusinessID with EV, Thawte SSL Web Server with EV) are the highest quality and most effective option. The certificates supply the green address bar, which according to VeriSign studies increase sales an average of 20%.

Vicky said...

Comodo seems like a bad apple, me and my husband are small buisness owners and running a small online distribution service. Security of our customers in paramount to our personal values and reading about such breaches in security is incredibly dissapointing, we were both thinking about investing in an ev ssl cert

RapidSSLOnline said...

EV SSL or Extended Validation SSL is the power of Green Signal which can raise the trust and confidence over the web site or web store.

Thank you so much for sharing all this stuff!


WildCard SSL | EV SSL | Thawte SSL