Create Your Own EV Certificate??
Friday, August 15, 2008 at 18:38 Most web browsers support the extended validation certificates. These certificates give a visual indication (green browserbar for example) that the SSL connection is trustworthy. The only problem is that they are expensive. Especially compared with the 'ordinary' SSL certificates.
These certificates are special because the Certificate Authority (e.g. VeriSign) validated the company who buys these certificates. This way, the end user can shop / bank / or whatever online without worrying too much.
Some affiliates / certificate vendors already did this years ago (validating the actual companies), so this is nothing new. Yet another way to fool the consumers, and make some extra money.....
The problem I run into is that I used to have a 'yellow-ish' addressbar when I entered an https website. Today (at least with FireFox 3) the address bar remains blank. The only indication is a tiny lock displayed at the bottom of the browser. Something you might (and definitely will) overlook.
I use a home made Certificate Authority to create my own certificates (for webmail, secure IMAP, SSL, etc.), but I would like to see a proper visual indication of the SSL connection. So, is there a way to create an EV-like certificate (or even a new CA) by using Microsoft Certificate Services or by using OpenSSL which displayes the colored addressbar?
I did find some info on the EV requirements, but these should be 'spoofable' some way or another.....
UPDATE: I found a website which suggests reconfiguring Firefox 3. Problem with that is that I need to reconfigure all my browsers. I'd rather do it by 'faking' the specs.
It seems that the OCSP-responder is mandatory for the bars to turn green....
Reader Comments (4)
"These certificates are special because the Certificate Authority (e.g. VeriSign) validated the company who buys these certificates. This way, the end user can shop / bank / or whatever online without worrying too much."
I was under the impression that the purpose of an EV certificate was to demonstrate to the end user that the organization has been fully authenticated with the strict EV standards. The Green Basr are a great security add-on, but spoofing this does not do justice to the EV-Enabled user experience.
"Faking" the specs, "spoofing" the EV requirements...that doesn't sound like a very secure path to head down.
Good luck on your adventures.
You are correct, but since the normal browsers have little to no indication these days that you are connecting with a proper SSL connection (even if it's just for encryption purposes), one has to find a way 'around'. The firefox setting is a possibility, but that's FF only. Note that this is 'fake' EV certificate is only available (if I manage to create them) to me, since I trust my own selfsigned root CA.
Apart from the personal 'gain', it can also serve as a proof of concept that EV certificates can be 'forged'. All I need to do is make sure that a machine trusts my root CA. This should in theory be possible with a sophisticated trojan.
I did create a fake VeriSign root CA a while ago. Everything (apart from the public key, finger print, etc.) looked exactly like the original. A SSL certificate created with that root CA looked real to most users. Spread such a root with a lame excuse, and you're able to do some nasty things.
This was a PoC for a customer. Just to show what might happen if your machine gets compromised by a virus and you think you got rid of all malicious pieces.
Hardly anyone checks their certificate store. One extra trusted root certification authority in your store doesn't set off alarms. Especially since there are over 100 in there allready (Hongkong Post Office???? what's that one doing in there??).
It's an old thread here, but isn't it great that after less than a year the new Firefox 3.5 has the default positive indicator now for regular SSL secured sites? It really helps to make the user aware about SSL at large. And EV still remained as great and green as it was before.
I think that You can make an Extended validation SSL certificate using OpenSSL, But there is one problem... This certificate will not be trusted on any other computers but yours that is if you enable trust on your certificate... If someone is coming into your website and they click trust certificate the geen bar will not show up.. Inorder to get the green bar to show up you need to install your CA root certificate into your MMC.exe This you can do by the pkcs12 commands. There you will have to enable Extended Validation [Most CAs use a friendly name], The problem is that even if the extended validaion works on your computer im not sure if it will work on your "Client's" Computer because they dont have your Extended Validation OID Enabled in their MMC.exe Or their Browser, And you cant exactly make a custom one, You need some kind of program in order to do that. Well, Hope this helped you in any way Good Luck!