Plans to populate the Internet with dozens of new top-level domains in the next year could give criminals an easy way to bypass encryption protections safeguarding corporate e-mail servers and company intranets, officials from PayPal and a group of certificate authorities are warning.
The introduction of Internet addresses with suffixes such as “.corp”, “.bank”, and “.ads” are particularly alarming to these officials because many large and medium-sized businesses use those strings to name machines inside their networks. If the names become available as top-level domains to route traffic over the Internet, private digital certificates that previously worked only over internal networks could potentially be used as a sort of skeleton key that would unlock communications for huge numbers of public addresses.
A secure sockets layer certificate used by employees to access a company intranet designated as “.corp”, for instance, might be able to spoof a public credential for the website McDonands.corp or Ford.corp. Employee laptops that are used at an Internet cafe or other location outside of a corporate network might also be tricked into divulging private information.
“If the appropriate service endpoints are available, these clients will next begin to dump confidential data and potentially pull incorrect information and apply damaging state changes,” PayPal Information Risk Management officials Brad Hill and Bill Smith wrote in recently published letter to Fadi Chehade and Stephen D. Crocker, the chief executive and chairman respectively of the Internet Corporation for Assigned Names and Numbers (ICANN). “The potential for malicious abuse is extraordinary, the incidental damage will be large even in the absence of malicious intent, and such services will become immediate targets of attack as they inadvertently collect high-value credentials and private data from potentially millions of systems.”
The security concerns come in response to ICANN’s plans to create a variety of new top-level domains by the end of this year to bolster currently available suffixes such as “.com”, “.net”, and “.biz”. Last week, VeriSign also sharply criticized the plan, saying the speed at which ICANN was moving threatened the stability of the Internet address system.
A report recently published by ICANN’s Security and Stability Advisory Committee provides support for the security concerns, which in addition to PayPal are being voiced by members of a group of certificate authorities. Citing data assembled three years ago by the Electronic Frontier Foundation’s SSL observatory, the report said there were 1,053 certificates signed by recognized authorities that end in 63 strings which are candidates to become top-level domains. Such a scenario might make it possible for “man-in-the-middle” attackers, who control a connection between a website and end users, to spoof traffic in a way that would completely bypass encryption protections provided by SSL.
“If an attacker obtains a certificate before the new TLD is delegated, he/she could surreptitiously redirect a user from the original site to the attacker site, present his certificate, and the victim would get the Transport Layer Security/SSL (TLS/SSL) lock icon,” the ICANN report stated. “This poses a significant risk to the privacy and integrity of HTTPS communications as well as other protocols that use X.509 certificates (e.g. TLS/SSL-based e-mail communication).”
The report went on to say that the number of “short name” certificates that could collide with the new domains is almost certainly much higher. That’s because the SSL Observatory only scanned for certificates publicly advertised on the Internet. That leaves most private certificates unaccounted for. Another reason the SSL Observatory is likely understating the problem is that it probably doesn’t scan many ports used by e-mail servers.
ICANN officials didn’t respond to an e-mail seeking comment for this article.
Full Story: Possible security disasters loom with rollout of new top-level domains | Ars Technica.