View Issue Details

IDProjectCategoryView StatusLast Update
0000056Main CAcert Websiteaccount administrationpublic2013-11-20 22:23
ReporterSourcerer Assigned To 
Status closedResolutionfixed 
Fixed in Version2006 
Summary0000056: EMail Ping not safe enough
DescriptionWhen the user clicks on the Email Ping URL, the first HTTP GET Request automatically accepts the EMail as valid for the user.

There are two problems with it:

1. Some Email clients send an invisible(for the user) HTTP GET first, to determine the mimetype of the resulting answer, and afterwards open either a browser or a dedicated application (Acrobat Reader, ...) and give it the URL.
This results in the first unvisible request being accepted by CAcert, and the second visible one resulting in an unspecific Error message, which says that the Email Ping was already acknowledged.
The workaround is to copy the URL from the Email, and open it manually in a Browser.
Additionaly it can be reproduced with a single-request Browser by Refreshing the page (press F5 or Alt+R)
Refreshing a HTTP GET page generally should not result in an error message, according to the HTTP standard RFC.

2. There is no authentication for the HTTP GET page, which has the result that anyone can confirm an EMail Ping without having a CAcert account.
Now if someone wants to get a certificate for someone elseĀ“s email address, he just has to continuously send Email Pings, until that person somewhen clicks on the Link by accident or curiousity. Just clicking the link is enough for the first person to get a CAcert certificate for the email address.
Additional InformationProposed fix:

We have several possibilities:
* We could only provide the HASH in the EMail, which has to be Copy&Pasted into a form field that is only available in a logged in session.

* Email Ping URL -> click -> "Thanks for submitting the Email Ping. Please login to activate it" -> Login -> "Thank you, your Email Ping was successfully activated now".

What will not work:

* Demanding a login. (The user needs the Email Ping to get a certificate with which he can login ;-)
TagsNo tags attached.
Reviewed by
Test Instructions


related to 0000045 closed Change the verification system with a POST form 



2006-01-06 01:51

administrator   ~0000073

when adding an e-mail account, a message is sent to that account. The recipient then just has to click the link and the e-mail account will get the status verified.
This verfication method is very insecure, because a CAcert member could try to verify another person's e-mail account as his own. If that other person never heard about CAcert, he will be surprised when he receives the e-mail with the confirmation link. That e-mail message does not contain any information about misuse. Therefore it is is very likely that the recipient will click the link to find out what this message is about - thereby confirming the account for the attacker.
I propose that additional information regarding misuse is included in the confirmation message. Further, just clicking the link should not suffice. I think it is safer if one additionally has to enter his password or present a certificate to get authenticated. This prevents a third party from accidentally confirming the e-mail account for another person.


2006-04-24 22:02

manager   ~0000201

This case is a bit tricky and may lead to other problems aswell. For example phisher could use such verification emails/links to steal other peoples CAcert passwords.

I'd recommend to send out an email like that:

You requested to connect the following domain or email address to your CAcert Account:


This email was sent to you, to find out if you really own that domain or email address. Please click on the following link. There you can choose whether to add it to the CAcert database or not. On that page you can also notify the CAcert Support if someone missued your email address or domainname.


Please close your browser window after you decided what to do! Never provide your username or password to a website that was sent to you by email. Beware of phisher who sent you fake links to steal your password!

I see no reason why the user should login. Clearly saying "YES, add my domain", "NO, do not add my domain" and "NO, do not add my domain but notify support" should be sufficiant.


2006-08-14 04:14

developer   ~0000419

Added extra handling in verify.php...

Issue History

Date Modified Username Field Change
2005-09-07 18:14 Sourcerer New Issue
2005-12-02 11:39 evaldo Relationship added related to 0000045
2006-01-06 01:51 Sourcerer Note Added: 0000073
2006-01-06 01:52 Sourcerer Status new => needs work
2006-01-06 01:52 Sourcerer Assigned To => duane
2006-04-24 22:02 bluec Note Added: 0000201
2006-08-14 04:14 duane Status needs work => solved?
2006-08-14 04:14 duane Fixed in Version => production
2006-08-14 04:14 duane Resolution open => fixed
2006-08-14 04:14 duane Note Added: 0000419
2007-10-24 06:19 evaldo Assigned To duane =>
2007-10-24 06:19 evaldo Status solved? => closed
2013-01-13 15:04 Werner Dworak Fixed in Version => 2006
2013-11-20 22:23 NEOatNHNG View Status private => public