back to article Did you know: Lawyers can certify web domain ownership? Well, not no more they ain't

Lawyers will no longer be allowed to certify someone's ownership of an internet domain name, and the public Whois no longer represents proof of ownership, when it comes to assigning security certificates to site owners. That means, for example, you can no longer pay a lawyer $500 to write you a letter asserting you own a …

  1. Donn Bly

    Email from the same domain?

    Since it is so trivial to spoof an email, how could they even CONSIDER email from the domain as a "secure" method of validation?

    On whois information not being valid, while the whois system has imploded if someone puts false information in whois and gets a certificate with it, it certainly isn't any LESS secure than allowing them to authenticate with a DNS TXT record or place a file on a webserver.

    I did notice about a month ago when I went to try to get a certificate for a new domain name that Comodo no longer accepted gmail email addresses as contacts, even though that was how the domain was registered. Since the domain wasn't going to be used for email we hadn't even considered setting up email for it, so I had to jump through some hoops to make dns changes to set up MX records and set it up on a mail server JUST so that we could get the cert - only for us to revert back to no email as soon as the certificate was issued. Not overly complicated, just an extra hurdle on a Friday afternoon for an already rushed job. For the next one after that we just used "Lets Encrypt" and didn't bother going back to Comodo.

    1. Anonymous Coward Silver badge
      Boffin

      Re: Email from the same domain?

      I sincerely hope that it is meant to say "email TO the same domain name" - I've used several CAs who will email confirmation to one of webmaster@/hostmaster@/postmaster@ (or something similar - basically a predefined list of 'authoritative' users).

  2. keithzg

    A "phoencall"?

    I haven't heard of that security verification mechanism before, do elaborate!

    1. David 132 Silver badge

      Re: A "phoencall"?

      I didn't think I had either, but it rings a bell.

    2. stiine Silver badge
      Devil

      Re: A "phoencall"?

      You've never heard of Phoenicians? Their civilization predated the Egyptions.

      1. Mark 85

        Re: A "phoencall"?

        You've never heard of Phoenicians? Their civilization predated the Egyptions.

        So security by bronze sword then?

        1. RealBigAl

          Re: A "phoencall"?

          Buyer beware: Sounds like a Pyramid scheme to me.

    3. diodesign (Written by Reg staff) Silver badge

      Re: A "phoencall"?

      Jsut a tpyo. If you sopt aytnhnig wrnog, dorp us an eiaml - corrections@theregister.com - and we'll fix tehm sritahgt aawy.

      C.

      1. Will Godfrey Silver badge
        WTF?

        Re: A "phoencall"?

        The scary thing is I understood that perfectly!

        1. onefang

          Re: A "phoencall"?

          "The scary thing is I understood that perfectly!"

          A sure sign you've been reading ElReg for a looong time.

    4. Dave559 Silver badge
      Trollface

      Re: A "phoencall"?

      It was a proposed communication protocol introduced in a very early version of Mozilla's stand-alone web browser, but it never saw the light of the flames or the light of day. It re-emerged very much later in Firefox as WebRTC...

  3. frank ly

    The cold light of The Regsiter

    Now that you've mentioned them, either accidentally or deliberately, supercyberbadgers.com have gone dark. I asume they were up to no good.

  4. Drew 11

    Yet another Reg article on certs that ignores the obvious answer: DNSSEC.

    C'mon Kieren, how about an expose on why the hell the browser authors refuse to bake DNSSEC/DANE ?

    1. diodesign (Written by Reg staff) Silver badge

      Re: Drew 11

      We've been writing about DNSSEC and DANE for ages.

      DNSSEC is, unfortunately right now, to use another acronym, a PITA. But I'll add a link to make you happy.

      C.

      1. Drew 11

        Re: Drew 11

        What I'm not happy about is the browser authors refusing to bake DANE into browsers which is what is holding up DNSSEC.

        You're in a position to do some forensic journalism and find out exactly why that is. Are they being handed cash by their CA mates to kill it off?

        What is SSAC's view of the matter?

  5. Anonymous Coward
    Anonymous Coward

    No Hope of obtaining EV certificates for UK Local authorities now then

    I was managing a project last year which required an EV certificate to link with the GoV.UK Verify infrastructure. Being a County Council the organisation had several ways of demonstrating that we were a legitimate organisation ( being on maps, acts of parliament, History books, records traceable back to the war of the roses and historical records that date back before the establishment of the good old US of A, huge property holdings etc.) but none of these were acceptable to our USA based CA as we not a federal or state entity. After 3 months of going around in circles the CA decided that we needed to send them a letter from 'a solicitor'. We actual used a senior lawyer in our internal legal department to write the letter and the irony is that they would take his entry on the Law Society register as proof that he was able to certify that a County Council existed, didn't even bother to call back on the published County Council phone number and finally granted us the cert. I'm not sure what I'll do next time

    1. Anonymous Coward
      Anonymous Coward

      Re: No Hope of obtaining EV certificates for UK Local authorities now then

      Federal (adj): From merriam-webster.com "...relating to a form of government in which power is shared between a central government and individual states, provinces, etc..."

      From collinsdictionary.com "...Some people use federal to describe a system of government which they disapprove of..."

      So there's your problem... they are using the British definition

    2. anothercynic Silver badge

      Re: No Hope of obtaining EV certificates for UK Local authorities now then

      Use a CA who understand local government? Like... ohhhhh... the people who provide you with .gov.uk service? What's their name again? Janet?

  6. Doctor Syntax Silver badge

    "email from the same domain name"

    I doubt, however, I'd be able to get a certificate for Hotmail or Gmail.

  7. poohbear

    Lawyers

    Am I the only one who was expecting this to end along the lines of "not necessarily honest"...?

    However, the CAs decided this was not a very secure system since lawyers are "generally not qualified to evaluate"

  8. Milton

    Let's Encrypt

    I guess I'm mildly surprised that everyone is not now using Let's Encrypt. I set it up for the first time on a server a couple of years ago and after some initial permissions wrangling, it's worked regularly and reliably ever since. What's not to like?

    1. PyLETS

      Re: Let's Encrypt

      "What's not to like?"

      I use their certs on my HTTPS hosted sites and this meets my needs and those of my guests. However, I'd be more than a bit concerned if something looking just like the domain name of my bank, but differently Unicoded, appeared with a padlock symbol certificated on the basis of someone being able to put an arbitrary file onto the web server for whatever the domain name was. With Unicode characters within domain names, many different text strings showing the URL next to the green padlock symbol can have the same appearance as the legitimate domain name.

      Extended Validation is supposed to make this kind of business name impersonation hack more difficult.

      1. Anonymous Coward
        Anonymous Coward

        Re: Let's Encrypt

        Extended validation is a money making exercise. It is nothing more than “pay us more to do the job we claimed to be doing to start with”. How are we supposed to trust these cert issuers if they behave in this manner?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like