Browse archive

Latest news

Fighting cybercrime is on the right track

Google set to upgrade its SSL certs

IT security pros have trouble communicating with executives

Zeus variants are back with a vengeance

Facebook phishers target Fan Pages owners

Killer apps: The performance of networked applications

Is it time to professionalize information security?

Google researcher reveals another Windows 0-day

Twitter finally offers 2-factor authentication

DHS employees' info possibly compromised due to system flaw

Teens are into online sharing, but are also more privacy-aware

The dangers of downloading software from unofficial sites

Microsoft decrypts Skype comms to detect malicious links

Review: Logging and Log Management

Hacking charge stations for electric cars

Internal name SSL certificates could be exploited for MitM atacks

Posted on 19 March 2013.

The Certificate Authority practice of issuing “Internal Name” certificates for private domains which are currently non-resolvable by the Domain Name System could be misused by attackers once new generic top-level domains (gTLDs) are introduced this year, warns the ICANN Security and Stability Advisory Committee (SSAC).

"An internal name is a domain or Internet Protocol (IP) address that is part of a private network. These internal names are not allocated to any specific organization and therefore cannot be verified," explains the Committee.

The problem is that some of these domains might, in the near or more distant future, be used as new gTLDs, and any internal name certificate issued for a private domain that coincides with that of a gTLD can be exploited by attackers to set up a bogus website, redirect users from the legitimate one to that, and convince them that the bogus site is actually the legitimate one as the certificate will equip with the Transport Layer Security/SSL (TLS/SSL) lock icon.

For example, an SSL certificate issued to clothing retailer Quicksilver for its Australian website is also valid for a number of private domains including qsauhub01.sea.quiksilver.corp and autodiscover.sea.quiksilver.corp. At the same time, the .corp domain extension will soon likely become a new gTLD.

To prove a point, the Committee has tasked a researcher to apply for a internal name certificate for www.site with a CA. After confirming that it will be used for internal use only, the CA issued it, and the researcher verified that browsers recognize it.

"The practice for issuing internal name certificates allows a person, not related to an applied for TLD, to obtain a certificate for the TLD with little or no validation, and launch a man-in-the-middle attack more effectively," they concluded.

They also noted that the CA/Browser Forum is aware of this issue and requests its members to stop the practice of issuing internal name certificates by October 2016. Unfortunately, as the appointment of new gTLDs is scheduled for this year, this would give attackers a 3-year window within which to misuse the practice.

The findings of this research have been shared with the CA/B Forum members, and a ballot calling for CAs to "stop issuing certificates that end in an applied-for-gTLD string within 30 days of ICANN signing the contract with the registry operator, and revoke any existing certificates within 120 days of ICANN signing the contract with the registry operator" has been open and ultimately passed, mitigating the threat considerably.