Internal-use SSL certificates pose security risk for upcoming domain extensions

CAs have issued certificates for internal domain names that could become public soon, causing conflicts, ICANN warns

The practice of issuing SSL certificates for internal domain names with unqualified extensions could endanger the privacy and integrity of HTTPS communications for upcoming generic top-level domains (gTLDs), according to a security advisory from the Internet Corporation for Assigned Names and Numbers (ICANN).

The advisory was finalized by ICANN's Security and Stability Advisory Committee (SSAC) last week and warns that existing SSL certificates which have been issued for non-public domain names like those used to identify servers inside private networks, could be used to hijack HTTPS traffic for real domain names as new gTLDs become operational. ICANN oversees the Internet's top-level domain name space.

SSAC gave the example of an SSL certificate issued by a Certificate Authority (CA) to Australian clothing retailer Quiksilver for its domain. That certificate is also valid for alternative non-publicly-recognizable domain names like qsauhub01, qsauhub01.sea.quiksilver.corp, qsauhub02, qsauhub02.sea.quiksilver.corp, and autodiscover.sea.quiksilver.corp.

The .corp domain extension has been used internally on private corporate networks for a very long time, but is currently being considered for future public use as a new gTLD. According to ICANN's website there are six different organizations that applied to become .corp registries.

"If an attacker obtains a certificate before the new TLD is delegated, he/she could surreptitiously redirect a user from the original site to the attacker site, present his certificate and the victim would get the Transport Layer Security/SSL (TLS/SSL) lock icon," the SSAC said in the advisory. "This poses a significant risk to the privacy and integrity of HTTPS communications as well as other protocols that use X.509 certificates (e.g. TLS/SSL-based email communication)."

In a test case, a researcher working with SSAC successfully applied for and obtained an internal-use certificate for from a CA. While .site is not a gTLD yet, it will most likely become one. Some .site registry applicants already offer the possibility to pre-register domain names with this extension.

The researcher set up with the newly obtained certificate and verified that various browsers recognized the certificate as valid.

The SSAC also searched SSL certificate data collected in 2010 by the Electronic Frontier Foundation's SSL Observatory project and found 37,244 internal name certificates issued by 157 CAs. Out of those, 1,053 certificates were for domains that ended in one of 63 applied-for gTLDs.

The real number of existing internal name certificates that would conflict with upcoming gTLDs is probably much higher, the SSAC said. The SSL Observatory data is from 2010 and only contains publicly available certificates on the IPv4 (Internet Protocol version 4) network, like the Quiksilver one, that are valid for both public and non-public domain names, it said.

"Its methodology is not capable of discovering internal certificates that are not associated with a public certificate," the SSAC said. "Since the key purpose for internal name certificates is for internal use, it is highly likely that many internal certificates are unaccounted for."

The CA/Browser (CA/B) Forum, an organization of certificate authorities and browser vendors that drafts and publishes guidelines for the issuance of publicly trusted certificates, asked its CA members in July 2012 not to issue new certificates for internal server names that have an expiration date beyond Nov. 1, 2015. On Oct. 1, 2016, all CAs are expected to revoke the remaining certificates for internal server names that are still valid on that date, putting a permanent end to this type of certificate.

"Although this is welcome news, this is still problematic because ICANN plans to delegate new TLDs in 2013, introducing vulnerability for potential new gTLDs until October 2016," SSAC said.

ICANN reached out to the CA/B Forum about the problem and presented the SSAC's advisory at the organization's annual meeting in February. As a result, the CA/B Forum passed a ballot requiring all CAs to cease issuing new certificates that include gTLDs within 30 days of those gTLDs becoming operational. The CAs will also have to revoke all existing certificates for domain names under a new gTLD within 120 days after ICANN publishes the contract for that respective gTLD on its website, unless certificate owners register their private domain names publicly under the new gTLD.

Join the CSO newsletter!

Error: Please check your email address.

Tags ICANNonline safetysecuritypki

More about Electronic Frontier FoundationICANNInternet Corporation for Assigned Names and Numbers

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place