A group of certificate authorities and officials from PayPal are saying that plans to populate the internet with dozens of new top-level domain names (TLDs) next year could give criminals an easy way to bypass the encryption protections that safeguard company intranets and corporate email servers.
Officials are particularly alarmed by the introduction of domains with suffixes such as “.bank”, “.corp”, and “.ads” due to the many medium and large-sized businesses that use those strings to name machines inside their networks. Should the names become available as TLDs to route traffic over the Internet, private digital certificates that used to work only over internal networks could be used to unlock communications for a huge number of public addresses, potentially.
For instance, a secure sockets layer certificate that is used by employees to access a company’s intranet that is designated as “.corp” might be able to parody a public credential for a website like Subway.corp or Audi.corp. An employee that uses a laptop at an Internet café or some other location outside of their corporate network may also be tricked into divulging private information.
PayPal Information Risk Management officals Bill Smith and Brad Hill wrote a recently published letter to Stephen Crocker and Fadi Chehade, the chairman and chief executive, respectively, of the Internet Corporation for Assigned Names and Numbers (known as ICANN). In the letter, they stated that the potential for malicious abuse is “extraordinary, the incidental damage will be large even in absence of malicious intent,” and that the services will “become immediate targets of attack as they inadvertently collect high-value credentials and private data from potentially millions of systems.”
These security concerns are in response to ICANN’s plans to create a large variety of new TLDs by the end of this year to boost the currently available suffixes such as “.net”, “.com”, and “.biz”. VeriSign sharply criticized the plan last week, saying that the haste at which ICANN was moving the TLD’s out threatens the stability of the Internet address system.
ICANN’S Security and Stability Advisory Committee recently published a report providing support for the security concerns which are being voiced by members of a group of certificate authorities, as well as PayPal. In the report, they cited data assembled three years ago by the Electronic Frontier Foundation’s SSL observatory. The data said that there were a total of 1,053 certificates signed by recognized authorities ending in 63 strings that are candidates for becoming TLDs. This scenario, however, may make it possible for “man-in-the-middle” attackers that have control of connections between a website and its end users to spoof traffic such a way that they could completely bypass encryption protections that are provided by SSL.
The number of “short name” certificates that could collide with the new domains is almost certainly much higher, the report went on to say. The reason for this is because the SSL Observatory only scanned for certificates that were publicly advertised on the web, leaving most private certificates unaccounted for. The SSL Observatory likely doesn’t scan many ports that are used by email servers—another reason they are likely understating the problem.