Zombie linkages are keeping expired domains trusted for years

Domains expire, get transferred, and return to the market every day. The systems connected to those domains can continue trusting the original owner long after control has changed.

Researchers at USC and the University of Twente examined this problem in three widely used systems: Web PKI, Maven Central, and Ethereum Name Service. They use the term “zombie linkages” to describe lingering trust records that remain active after the original domain owner no longer controls the domain.

The problem creates security risks for browser infrastructure, software supply chains, and cryptocurrency naming systems because DNS names are increasingly used as proof of identity.

HTTPS certificates outlive domain ownership

Web PKI is the infrastructure browsers use to verify HTTPS websites. Certificate authorities issue TLS certificates that connect a domain name to a cryptographic key. Browsers rely on those certificates to confirm that a website belongs to the domain displayed in the address bar.

The researchers found that some certificates remain active. after domains expire or change ownership.

More than 192,000 expired-domain certificates were still being served months after DNS name death. Another 7,300 certificates continued being served after the domain had been registered again by a new owner.

That creates a period where a new registrant controls the domain, and another party may still operate a server with a certificate browsers trust. An attacker who gains control of traffic to that server could potentially impersonate the domain using a still-valid certificate.

Roughly 3% of TLS certificates tied to newly registered domains remained linked to expired or transferred domains during the measurement period. Only 4.3% of zombie certificates were revoked before expiration.

Certificate expiration acts as the main limit on how long those records remain usable. Most certificates stayed valid until they expired naturally.

Expired domains can leave Maven namespaces active

The same persistence problem appears in software repositories.

Maven Central is one of the primary repositories for Java software packages. Enterprise applications and developer tools automatically download libraries and updates from it during software builds. The repository organizes software packages using names linked to internet domains.

The researchers identified 31,853 Maven Central namespaces in their dataset. Of those, 4,842, or 15.2%, were tied to expired or transferred domains.

Publishing activity continued in hundreds of those namespaces after the original ownership period had ended. Among 4,053 outdated namespaces with known start dates, 547 published new package versions after the domains lost their original owners.

They also found that 214 namespaces continued publishing packages after the domain had been registered again by another owner.

That creates a possible route for supply-chain compromise. Applications that automatically download updates from affected namespaces could receive packages published after domain ownership changed.

Maven Central package versions are immutable once published. A namespace and its package history can remain active indefinitely even after the original domain ownership period ends.

ENS mappings remain active for years

Cryptocurrency naming systems show the same pattern. Ethereum Name Service, or ENS, connects readable names to cryptocurrency wallet addresses. The system gives blockchain users domain-like names tied to crypto accounts.

The researchers examined two ENS approaches.

ENS On-chain validates domain ownership once and stores the mapping on Ethereum. Those records remain active until manually replaced. The researchers found that 425 of 1,882 active ENS On-chain linkages, or 23.8%, were outdated.

They also found that none of the outdated ENS On-chain linkages had ever been reclaimed. The median outdated ENS On-chain linkage was 1.9 years old.

There is currently no practical mechanism to revoke those mappings automatically. A new domain owner must repeat the linkage process to replace the old record.

That leaves ENS On-chain exposed to domain reuse problems. An outdated ENS mapping can remain active indefinitely even after a domain changes ownership and is registered again by another party. Users relying on the old mapping could potentially send cryptocurrency payments to the wrong wallet address.

Download: The IT and security field guide to AI adoption