Browse archive

Latest news

Experts highlight top data breach vulnerabilities

NYPD detective accused of hiring email hackers

Why BYOx is the next big concern of CISOs

Free tool repairs critical Windows configuration vulnerabilities

IT pros focus on cloud security, not hype

Blue Coat to acquire Solera Networks

APT1 is back, attacks many of the initial U.S. corporate targets

Aurora attackers were looking for Google's surveillance database

U.S. DOJ accuses journalist of espionage

A closer look at Mega cloud storage

CISOs need to engage with the board

Find TrueCrypt and BitLocker encrypted containers and images

The CSO perspective on healthcare security and compliance

Hacking charge stations for electric cars

Internal name SSL certificates could be exploited for MitM atacks

Posted on 19 March 2013.

The Certificate Authority practice of issuing “Internal Name” certificates for private domains which are currently non-resolvable by the Domain Name System could be misused by attackers once new generic top-level domains (gTLDs) are introduced this year, warns the ICANN Security and Stability Advisory Committee (SSAC).

"An internal name is a domain or Internet Protocol (IP) address that is part of a private network. These internal names are not allocated to any specific organization and therefore cannot be verified," explains the Committee.

The problem is that some of these domains might, in the near or more distant future, be used as new gTLDs, and any internal name certificate issued for a private domain that coincides with that of a gTLD can be exploited by attackers to set up a bogus website, redirect users from the legitimate one to that, and convince them that the bogus site is actually the legitimate one as the certificate will equip with the Transport Layer Security/SSL (TLS/SSL) lock icon.

For example, an SSL certificate issued to clothing retailer Quicksilver for its Australian website is also valid for a number of private domains including qsauhub01.sea.quiksilver.corp and autodiscover.sea.quiksilver.corp. At the same time, the .corp domain extension will soon likely become a new gTLD.

To prove a point, the Committee has tasked a researcher to apply for a internal name certificate for www.site with a CA. After confirming that it will be used for internal use only, the CA issued it, and the researcher verified that browsers recognize it.

"The practice for issuing internal name certificates allows a person, not related to an applied for TLD, to obtain a certificate for the TLD with little or no validation, and launch a man-in-the-middle attack more effectively," they concluded.

They also noted that the CA/Browser Forum is aware of this issue and requests its members to stop the practice of issuing internal name certificates by October 2016. Unfortunately, as the appointment of new gTLDs is scheduled for this year, this would give attackers a 3-year window within which to misuse the practice.

The findings of this research have been shared with the CA/B Forum members, and a ballot calling for CAs to "stop issuing certificates that end in an applied-for-gTLD string within 30 days of ICANN signing the contract with the registry operator, and revoke any existing certificates within 120 days of ICANN signing the contract with the registry operator" has been open and ultimately passed, mitigating the threat considerably.