Internal-use SSL certificates pose security risk for upcoming domain extensions
CAs have issued certificates for internal domain names that could become public soon, causing conflicts, ICANN warns
IDG News Service - The practice of issuing SSL certificates for internal domain names with unqualified extensions could endanger the privacy and integrity of HTTPS communications for upcoming generic top-level domains (gTLDs), according to a security advisory from the Internet Corporation for Assigned Names and Numbers (ICANN).
The advisory was finalized by ICANN's Security and Stability Advisory Committee (SSAC) last week and warns that existing SSL certificates which have been issued for non-public domain names like those used to identify servers inside private networks, could be used to hijack HTTPS traffic for real domain names as new gTLDs become operational. ICANN oversees the Internet's top-level domain name space.
SSAC gave the example of an SSL certificate issued by a Certificate Authority (CA) to Australian clothing retailer Quiksilver for its webmail.quiksilver.com.au domain. That certificate is also valid for alternative non-publicly-recognizable domain names like qsauhub01, qsauhub01.sea.quiksilver.corp, qsauhub02, qsauhub02.sea.quiksilver.corp, and autodiscover.sea.quiksilver.corp.
The .corp domain extension has been used internally on private corporate networks for a very long time, but is currently being considered for future public use as a new gTLD. According to ICANN's website there are six different organizations that applied to become .corp registries.
"If an attacker obtains a certificate before the new TLD is delegated, he/she could surreptitiously redirect a user from the original site to the attacker site, present his certificate and the victim would get the Transport Layer Security/SSL (TLS/SSL) lock icon," the SSAC said in the advisory. "This poses a significant risk to the privacy and integrity of HTTPS communications as well as other protocols that use X.509 certificates (e.g. TLS/SSL-based email communication)."
In a test case, a researcher working with SSAC successfully applied for and obtained an internal-use certificate for www.site from a CA. While .site is not a gTLD yet, it will most likely become one. Some .site registry applicants already offer the possibility to pre-register domain names with this extension.
The researcher set up https://www.site with the newly obtained certificate and verified that various browsers recognized the certificate as valid.
The SSAC also searched SSL certificate data collected in 2010 by the Electronic Frontier Foundation's SSL Observatory project and found 37,244 internal name certificates issued by 157 CAs. Out of those, 1,053 certificates were for domains that ended in one of 63 applied-for gTLDs.
The real number of existing internal name certificates that would conflict with upcoming gTLDs is probably much higher, the SSAC said. The SSL Observatory data is from 2010 and only contains publicly available certificates on the IPv4 (Internet Protocol version 4) network, like the Quiksilver one, that are valid for both public and non-public domain names, it said.
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!