Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, March 18, 2013

Internal-use SSL certificates pose security risk for upcoming domain extensions

The practice of issuing SSL certificates for internal domain names with unqualified extensions could endanger the privacy and integrity of HTTPS communications for upcoming generic top-level domains (gTLDs), according to a security advisory from the Internet Corporation for Assigned Names and Numbers (ICANN). The advisory was finalized by ICANN’s Security and Stability Advisory Committee (SSAC) last week and warns that existing SSL certificates which have been issued for non-public domain names like those used to identify servers inside private networks, could be used to hijack HTTPS traffic for real domain names as new gTLDs become operational.

That certificate is also valid for alternative non-publicly-recognizable domain names like qsauhub01, qsauhub01.sea.quiksilver.corp, qsauhub02, qsauhub02.sea.quiksilver.corp, and autodiscover.sea.quiksilver.corp. The .corp domain extension has been used internally on private corporate networks for a very long time, but is currently being considered for future public use as a new gTLD.

“If an attacker obtains a certificate before the new TLD is delegated, he/she could surreptitiously redirect a user from the original site to the attacker site, present his certificate and the victim would get the Transport Layer Security/SSL (TLS/SSL) lock icon,” the SSAC said in the advisory.

In a test case, a researcher working with SSAC successfully applied for and obtained an internal-use certificate for http://www.site from a CA.

...The SSAC also searched SSL certificate data collected in 2010 by the Electronic Frontier Foundation’s SSL Observatory project and found 37,244 internal name certificates issued by 157 CAs.  The SSL Observatory data is from 2010 and only contains publicly available certificates on the IPv4 (Internet Protocol version 4) network, like the Quiksilver one, that are valid for both public and non-public domain names, it said.

Link: http://www.computerworld.com/s/article/9237678/Internal_use_SSL_certificates_pose_security_risk_for_upcoming_domain_extensions?source=CTWNLE_nlt_pm_2013-03-18

Posted on 03/18
WarningsPermalink