The Internet Corporation for Assigned Names and Numbers (ICANN) is readying the release of thousands of new generic top-level domains (gTLDs). Approved domains could become available as soon as April 23. Therein lies an underlying cause of potential problems, according to DigiCert associate general counsel Jeremy Rowley.
"ICANN is moving a little too fast with these new gTLDs without really giving people time to get ready," Rowley said in an interview.
Rowley is a member of the CA Security Council (CASC) alongside executives from Symantec, Comodo, Entrust, GMO GlobalSign, Trend Micro and Go Daddy. While some Internet stakeholders have focused on marketing, brand and legal issues with the new domain names, CASC is raising its red flags about the common use of "internal names" by businesses when setting up and managing their private networks. These are, in effect, private domain names such as .mail or .corp that aren't currently resolvable using the public domain name system (DNS) -- but could soon be.
When that happens, digital certificate owners and Web server operators could face security problems and other headaches. CAs currently issue digital certificates for these internal domains. But if those same names become available as public gTLDs, the bad guys could get digital certificates for those domains for the purposes of running man-in-the-middle attacks and other security threats.
"Say .corp gets [released as a gTLD] -- a bad guy could go and get the certificate and then use it for an attack against the new gTLD after it becomes operational," Rowley said. While CAs are preparing for such scenarios, the risks still loom.
[ Search data offers more information that most realize. See Google Searches Show Seasons Shape Mental Health. ]
Beyond the digital certificate issue is a similar set of challenges for Web server operators at large. When their internal names such as .mail or .corp become part of the public Internet, costly networking conflicts and security holes could arise. As once-private domains get public counterparts, email clients, filesharing applications and other services will, to put it plainly, become confused. The only real solution is for administrators to essentially re-architect their networks, a process that could take some organizations several years because of budget, staffing and technical know-how.
"You're asking Web server operators to go in and reconfigure the servers, sometimes buy new hardware, hire brand-new staff and things like that in a very short timeframe," Rowley said.
While once considered a security and networking best practice, the use of internal names such as .corp is set to be wound down over the next several years. The CA/Browser Forum has published guidelines for deprecating internal server names by 2016, and trusted CAs will stop issuing certificates for internal names altogether as of November 2015. Current CAB Forum guidelines will also require CAs to stop issuing certificates for internal names within 100 days of being delegated as a new gTLD. That still leaves a considerable gap between the pending release of thousands of new gTLDs and the planned phase-out of internal names.
While ICANN itself has acknowledged the issue, CASC and others say the organization hasn't addressed the full scope of the potential problems. ICANN did not respond to emailed requests for comment.
PayPal recently sent ICANN a public letter expressing similar unease with the release of new gTLDs. Verisign has also published a letter and report on its own risk findings. PayPal noted that while the use of internal domain names may have been misguided in hindsight, it has been a widespread practice for two decades, often at the recommendation of hardware and software vendors. Moreover, abandoning the use of internal names can, as DigiCert's Rowley pointed out, be an arduous task. "For example, re-naming a Microsoft Active Directory Forest is often operationally impossible," the letter reads.
The PayPal letter continued by outlining the potential networking conflicts and ensuing fallout: "Consider a typical enterprise laptop configured to look for network services ending in .corp. What happens when that system roams to a public network, such as the user's home or a public Wi-Fi hotspot?" PayPal's answer: Dozens of services will start hemorrhaging sensitive corporate and personal data, such as usernames and passwords, network authentication credentials, and other information, if and when .corp and other internal names are released as gTLDs on the Internet.
"The potential for malicious abuse is extraordinary, the incidental damage will be large even in the absence of malicious intent, and such services will become immediate targets of attack as they inadvertently collect high-value credentials and private data from potentially millions of systems." PayPal said.
According to DigiCert's Rowley, the bulk of the potential problems would be mitigated if ICANN postponed the release of four new gTLDs: .ads, .bank, .corp and .mail. That would wipe out 90% of the potential problems in CASC's analysis; the other 10% are easily remediated, in the group's view.
PayPal's list, on the other hand, includes the top 10 current invalid domain queries, such as "local," "localhost" and "home," and focuses on the broader set of networking risks beyond digital certificates. Rowley concurred that those networking challenges will likely be the real burden as new gTLDs start rolling off the assembly line.
"CAs can take care of the certificate problem, and I think we have done so and done so quickly in a way that mitigates the problem," Rowley said. "What we can't take care of is getting the people with these networks to change in what amounts to overnight for them."
The question then is: Who will take care of it? In its report's conclusions, Verisign warned in no uncertain terms against moving forward on blind faith: "Addressing these issues doesn't simply mean publishing a speciﬁcation and expecting the community to have immediately implemented it and be capable of responding to all operational and security corner cases conveyed therein."
Easily overlooked vulnerabilities could put your data and business at risk. Also in the new, all-digital 10 Web Threats special issue of Dark Reading: How hackers compromised an iOS developers' website to exploit Java plug-in vulnerabilities and attack Apple, Facebook, Microsoft and Twitter. (Free with registration.)