Partner Article

SSL Certificate for Internal Domains

CAs to issue SSL certificate for internal domains placing forthcoming domains’ security at risk

The news of CAs issuing SSL certificate for unqualified extensions of internal domains names has created havoc in the cyber space. According to a security advisor from ICANN (Internet Corporation for Assigned Names and Number), this may lead to the hazardous situation like insecurity of HTTPS communications for genuine forthcoming top-level domains.

ICANN (pronounced as “eye-kan”) is the main non-profit private limited organization in charge for assigning the unique identifiers, addresses to internal registers, looking for registers of internet protocols and managing top-level domain name space.

The existing SSL certificates which have already been granted for private domain names as those which are used to identify the servers can be used as weapon for hijacking HTTPS traffic for qualified domain names because gTLDs (generic top-level domain names) has become controllable. Such was warned in the advisory concluded by ICANN and SSAC (Stability Advisory Committee) last week.

SSAC conveyed the example of an Australian Cloth Retailer Company named as “Quiksilver”. The company purchased an SSL certificate from a CA for its mail server, “webmail.quiksilver.com.au” which was also valid for its various non recognized domains like qsauhub01, qsaauhub01.sea.quiksilver.corp, qsauhub02, qsauhub02.sea.quiksilver.corp and autodiscover.sea.quiksilver.corp.

Herein, the .corp (corporation) extension was actually being used internally on private corporate networks for a long run, but now it is preserved for future use as a new gTLD. ICANN confirmed that there are currently six different organizations which applied for becoming .corp registries.

The SSAC alerted in the advisory by saying that if any hijacker gets the certificate before the authorization of new TLD then he/she would be able to secretly redirect a customer/user from the actual site to an illegal site, that too having the certificate and the green padlock icon. SSAC also said that those HTTPS communications and other protocols are at a significant risk which are using X.509 certificate. For example: email communication based on SSL/TLS.

Within a trial, a researcher who was working with SSAC was propitiously able to get an internal-use certificate for www.site that too from a CA, whereas .site has not been qualified as a gTLD yet, but soon it will become one. Many .site registry applicants have proposed the possibility of pre-registration of the domain names of this extension.

In that trial test case, the researcher deployed the https://www.site with the newly received certificate and confirmed that many of the browsers considered the certificate as a valid one.

Also in a search of SSL certificate data which was collected by the Electronic Frontier Foundation’s SSL Observatory project SSAC found that about 37,244 internal name certificates issued by 157 CAs. Among those 1,053 certificates were issued for those domains that ended among 63 applied for gTLDs.

SSAC exclaimed that the actual number of existing domain name conflicting with the forthcoming gTLDs will be much higher than this. The data referred from SSL Observatory was from 2010 and it contained only publicly visible certificates on the IPv4 network, like the Quiksilver which are valid for both public and private domain names.
SSAC also stated that the current methodology is not good enough for uncovering those internal certificates that are not affiliated with a public certificate.

The CA/B Forum (CA/Browser), an online browser forum by CA and other browser vendors who regularly publish the guidelines and rules for issuing of publicly trusted certificates. In July 2012 CA/B has already ordered to CA members not to issue any certificate for internal server names having an expiry date beyond November 2015. On October 1 2016 it is expected that all the CAs will stop the issuing of certificate any more.

“As ICANN is planning to consign new TLDS (top-level domain names) in current year, it will become problematic as it will insert vulnerabilities for new gTLDs until October 2016”, said SSAC.

ICANN communicated with CA/B Forum about this problem and projected the advisory of SSAC in the annual meet in February. In return CA/B passed a ballot referring all CAs to stop the issuance of new certificates which include gTLDs that becomes operational within 30 days. Also CAs will have to cancel all the existing certificates for domain names beneath a new gTLD within a limit of 120 days after the ICANN launches the contract for that particular gTLD on its website, until and unless the certificate owners register their respective non-public domain names publicly beneath the new gTLD.

This was posted in Bdaily's Members' News section by Abel Wike .