Friday, April 30, 2010

In March this year, there were few shouts about US government forcing certifying Authorities (CAs) to had over SSL key to decrypt mail transfer. Personally I'm not worried till the time the decrypted data is with any govt but it would be a serious issue if anyone else reads my data.

Old school hacks using fake SSL were popular till sometime where the adversary used to issue a fake certificate and client application (mail client/browser) would throw a warning. Those attacks were banking on stupidity of users to ignore the warning and move forward.

Then came a time (I'm not sure if it is over yet) where shady CAs would provide certificate without proper verification.

Now latest findings says few webmail provider were not careful enough to disable few admin-like accounts due to which anyone could have generated a genuinely fake certificate and conduct man-in-the-middle account without ANY warning from any software.

So I thought of conducting the same test on Indian webmail providers which are still popular and may people use it for mailing. I choose following 4 popular services and tired to create an account ssladmin@


Here are my findings
1. - the account creation interface gave an error saying the account is already in use
2. - denied saying this username is not allowed
3. - denied saying the username is forbidden
4. - Oops! allowed me to create the account. Which means I could have gone to a CA and asked for a SSL certificate.

I got in touch with authorities but no one responded and they didn't either disabled my account for more than a week. Then I had to get in touch with head of portal business via LinkedIn and finally the account was closed. I'm still to receive a note of acknowledgement but atleast sify users are safe now.

Happy & Safe Browsing


Post a Comment