03/18/2013

how your internal intranetname can arrive on the internet

As discussed in an advisory (PDF) issued by the Internet Corporation for Assigned Names and Numbers' (ICANN) Security and Stability Advisory Committee (SSAC) on Friday, a common practice by certificate authorities (CAs) is to issue digital certificates, even when the organisation requesting them provides a non-fully qualified domain name.

 

These "internal name" certificates are meant to be used for domains on private networks, such as server1.company.corp, that were never intended to be public facing. While this affords companies a convenient way to securely reference servers within their network, the internal name of their domains can potentially collide with gTLDs that either already exist or are being applied for.

 

This theoretically affords an attacker the ability to apply for a site certificate for a gTLD before it is approved, then once the target gTLD passes approval, the attacker has a signed certificate that can be used to conduct man-in-the-middle attacks.

 

"If an attacker obtains a certificate before the new TLD is delegated, he/she could surreptitiously redirect a user from the original site to the attacker site, present his certificate, and the victim would get the Transport Layer Security/SSL (TLS/SSL) lock icon," the advisory read.

 

Testing the theory, a SSAC researcher applied for an internal name certificate for www.site, and although the CA asked the requester to confirm it was for internal use only, approved its issuance. Armed with a certificate, the researcher then set up www.site, and found that several modern browsers recognised the certificate as though it had been issued for the gTLD and not an internal server.

 

The problem is not confined to new domains, and is potentially already a problem. As part of its research, SSAC noted that as well as listing valid entries for its business, Australian clothing retailer Quiksilver's certificate lists internal names ending in .corp — a gTLD that has recently been applied for.
http://www.zdnet.com/slow-clap-internal-certificates-can-...

this means that you will have to look here if the domainnaam you use is for your intranet is on the list of all the new domains (and for ssl providers some will have to update the list of acceptable domainnames for internal networks) and plan the change (because in bigger networks this may become a problem)

If some firms have taken the samen domainextensions for their internal networks as they have asked for public use with Icann, they will have to think so that it is would not be possible to huppeldepup from a website to an internal domain

https://gtldresult.icann.org/application-result/applicati...

Permalink | |  Print |  Facebook | | | | Pin it! |

The comments are closed.