The Certificate Authority practice of issuing “Internal Name” certificates for private domains which are currently non-resolvable by the Domain Name System could be misused by attackers once new generic top-level domains (gTLDs) are introduced this year, warns the ICANN Security and Stability Advisory Committee (SSAC).
“An internal name is a domain or Internet Protocol (IP) address that is part of a private network. These internal names are not allocated to any specific organization and therefore cannot be verified,” explains the Committee.
The problem is that some of these domains might, in the near or more distant future, be used as new gTLDs, and any internal name certificate issued for a private domain that coincides with that of a gTLD can be exploited by attackers to set up a bogus website, redirect users from the legitimate one to that, and convince them that the bogus site is actually the legitimate one as the certificate will equip with the Transport Layer Security/SSL (TLS/SSL) lock icon.
For example, an SSL certificate issued to clothing retailer Quicksilver for its Australian website is also valid for a number of private domains including qsauhub01.sea.quiksilver.corp and autodiscover.sea.quiksilver.corp. At the same time, the .corp domain extension will soon likely become a new gTLD.
To prove a point, the Committee has tasked a researcher to apply for a internal name certificate for www.site with a CA. After confirming that it will be used for internal use only, the CA issued it, and the researcher verified that browsers recognize it.
“The practice for issuing internal name certificates allows a person, not related to an applied for TLD, to obtain a certificate for the TLD with little or no validation, and launch a man-in-the-middle attack more effectively,” they concluded.
They also noted that the CA/Browser Forum is aware of this issue and requests its members to stop the practice of issuing internal name certificates by October 2016. Unfortunately, as the appointment of new gTLDs is scheduled for this year, this would give attackers a 3-year window within which to misuse the practice.
The findings of this research have been shared with the CA/B Forum members, and a ballot calling for CAs to “stop issuing certificates that end in an applied-for-gTLD string within 30 days of ICANN signing the contract with the registry operator, and revoke any existing certificates within 120 days of ICANN signing the contract with the registry operator” has been open and ultimately passed, mitigating the threat considerably.